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TAMPER RESISTANT NflCROPROCESSOR 

BACKGROXJND OF THE INVENTION 

1. I'leld of tlie Invention 

The present invention relates to a miciDproccssor that can 
prevent illegal allemafion ul' execution cuclen anil processing 
tac]get data under a multi-task program execution environ- 
ment. 

2. Description of the Background Art 
In recent years, the performance of a micropmccssor has 

improved considerably Mich that the micropit)ces.sor is 
capable of realizing reproduction and editing of vide(.i 
images and audio sounds, in addition to tlie conventional 
fnnctbns such as computations and graphics. Hy imple- 
menting such a micro|)rocessnr in a system designed for 
end-user (which will be referred to as PC heieafter), the 
users can enjoy various video unagcs and audio sounds on 
monitors. Also, by combing the function for reproducing 
video images and audio sounds with the computational 
power of the PC, the applicability to games or the like can 
be improved. Such a microprocessor is not designed for any 
specific hardware and can be implemented in a variety of 
hardwares so that there is an advantage that the users who 
already possess PCs can enjoy reproduction and editing of 
video images and audio sounds inexpensively by simply 
changing a microprocessor for executing programs. 

In the case of handling video images and audio sounds on 
PCs, there arises a problem of a protection of the copyright 
of original images or music, in I be MD or digital video 
playback devices, unlimited copies cao be prevented by 
implementing a mechanism for prevenling the illegal copy- 
ing in these devices in advance. It is rather rare to attempt 
Ike illegal copying by disassembling and altering Ibese 
devices, and even if such devices are made, there is a 
worldwide trend for prohibiting the manufacturing and sales 
of devices altered for the purpose ol illegal copying by laws, 
(\insequently, damages due to the hardware based illegal 
copying arc not very serious. 

However, image data and miLsIc data are actually pro- 
cessed on the PC by the software rather than the hardware, 
and the end-aser can freely aher the software on the PC. 
Namely, if the user has some level of knowledge, it is quite 
feasible to carry out the illegal copying by analyzing pro- 
grams and rewriting the executable software. In addition, 
there is a problem that the software for illegal copying so 
produced can be spread vcr^' quickly through media such as 
networks, unlike the hardware. 

In order to resolve these problems, conventionally a PC 
software to be used for reproducing copyright protected 
contents such as commercial Hlms or music has employed a 
technique for preventing analysis and alternation by encrypt- 
ing the soi'lware. This Lechnique Ls known as a tamper 
resistant software (sec David Aucsmith et al., "Tamper 
Resistant Software: An Implementation^, Proceedings of the 
1996 Intel Software Developer *s Conference). 

The tamper resistant software technique is also cffcctivc 
in prevenling illegal copying of valuable inlbrmation includ- 
ing not only video and audio data bul also text and know- 
how that is to be provided to a user through the PC, and 
protecting know-how contained in the PC software itself 
from analysis. 

However, the tamper resistant software technique is a 
technique which makes analysis using ujols such as deas- 
sembler or debugger diHIcult by encrypting a portion of the 



,374 B2 

2 

program that requires protection before the execution of the 
program slarts, decrypting thai portion immediately before 
executing that portion and encrypting chat portion again 
immediately alter the execution of that portion is completed. 
Conseijuenlly, as along as the program is execulabk by a 
processor, it is always possible to analyze the program by 
carrying out tlie analysis step by step starting from the start 
of the program. 

'this fact has been an obstacle for a cojwright owner to 
provide copyright protected contents to a .system for repm- 
ducing video and audio data using the PC. 

The other tamper resistant software applications are also 
vulnerable in ibis regard, and ihLs f»ct has been an obstacle 
to a sophisticated information server through the PC and an 
api)lication of a program containing Icnow-hrYW of an enter- 
prise or individual to the HI. 

Ihese are problems that equally apply to the software 
protection in general, but in addition, the PC is an open 
platform so that there is also a problem of an attack by 
altering the operating system (OS) which is intended to be 
a basis of the system's software conligu ration. Nanxily, a 
skilled and malicious user can alter the OS of his own to 
invaUdate or analyze the copyright protection mechanisms 
incorporated in application programs by utilizing privileges 
given to the OS. 

The current OS realizes the management ol" resources 
under the control of the computer and the aibilraiion of their 
uses by utilizing a privileged operation function with respect 
to a memcx'y and nn execution control function provided in 
CPU. Targets of the management include the conventional 
targets such as devices, CPU and memory resources, as well 
as QoS (Quality of Service) at network or application level. 
Nevertheless, the basics of ihe resource management are still 
allocations of resources necessary for the execution of a 
35 program. Namely, an allocation of a CPU time to the 
execution of that program and an allocation of a memory 
sx>ace neoes.sary for the execution are the besics of the 
resource management, 'llie control of the other devices, 
network and application QoS is realized by controlling the 
execution of a program that makes accesses to these 
resources (by allocating a CPU time and a memory space). 

The OS has pnvileges for carrying out the CPU lime 
allocation and ihe memory space allocation. Namely, Ihe OS 
has a privilege for inierrupiing and leslarting an application 
45 program at arbitrary liming and a privilegje to move a content 
of a memory space a11ix:ated to an application program to a 
memory of a dillerenl hierarchical level al arbitrary liming, 
in order to cariy out the CPU time allocation. The latter 
privilege is also used for the pu/i>ose of providing a flat 
50 memory space to the application by concealing (normally) 
hierarchical memory systems with different access speeds 
and capacities fmm the application. 

Using these two privileges, the OS can interrupt an 
execution st ale of Ihe application and take a snap shot of it 
55 at arbitrary timing, and restart it after making a copy of it or 
rewriting it. This function can also be used as a tool for 
analyzing secrets hidden in the application. 

In order to prevent an analysis of the application on a 
computer, there arc several known techniques for encrypting 
00 programs or data (Rampsou, U.S. Pal. No. 4,847,902; 
Harlman, U.S. Pal, No. 5,224,166; Davis, U.S. Pal. No. 
5,806,706; Takahashi ct al., U.S. Pat. No. 5,825,878; Bucr et 
al., U.S. Pat. No. 6,003,117; Japanese Patent Application 
Laid Open No. U-2S2667 (1999), for example). However, 
OS these known tccliniqucs do not account for the protection of 
the program operation and the data secrecy from the above 
described privileged operations ol the OS. 
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The convenlional lechnique based cm Lhe xS6 archileaure 
of iutel Cofporatioa (Ilartmaa, U.S. Pat. No. 5^24466) Ls 
a leclinic|ije for sloring the execution codes and data by 
encrypting Ihem by uying a prescribed encryption key Kx. 
'l*he cncr>'ptioii l»y Kx is given in a form of Ej^-rC^^] which 
is encrypted by using a public key Kp corre.spoDding to a 
secret key Ks embedded in a processor. Consequently, only 
tlie processor that knot's Ks can decrypt the encrypted 
execution codes on a memory. The encryption key Kx is 
staved in a register inside the processor called a segment 
register. 

Using this mechanism^ it is possible to protect the secrecy 
of the program codes from the user to some extent by 
encryjiting the codes. Also, it becomes cryptograph ically 
difficult for a person who docs not know the cncryptwn key 
Kx of the codes to alter tlic codes according to his intention 
or iKwly pioducc codes that arc executable when decrypted 
by using the encryption key Kx. 

However, the sv-slem employing this technique has a 
drawback in thai the analysis o£ the program becomes 
possible by utilizing a privilege of the OS called a context 
switching, without decrypting the encrypted execution 
codes. 

More speciiically, when the execution of the program is 
stopped by the interruption or when the program voluntarily 
calls up a software interruption command due to the system 
call up, the OS carrieA» out the context switching for the 
purpose of the execution of the other program, 'fhe context 
switching is an operation to store an execution state (which 
will be mferred to as a context information hereafter) of the 
program Indicatiag a set of register values at that point into 
a memory; and restoring the context information of another 
program stored in the memory In advance into the registers. 

FIG. 15 shows the conventional context storing format 
used in the xK6 processor. All the o^ntents of the registers 
used by the application are contained here. 'Ilie context 
information of the inteiruptul program is restored into the 
registers when the program is restarted. 'ITie context switch- 
ing is an indisj)ensal)le function in order to operate a 
plurality of programs in parallel. In the conventional 
technique, the OS can read tlie register values at a time of the 
context switching, so that it is possible to guess most of the 
operations made by the programs if not all, according to how 
the execution state of that program has changed. 

In addilioD, by controlling a timing at which the cxccptioa 
occurs by setting of a timer or the like, it is ix)ssn)le to carry 
out this processing at artiitraiy execution ix>int of the pro- 
gram. Apart from the interruption of the execution and the 
analysis, it is also possible to rewrite the register information 
by malicious intention. The rewhtiog of the registers can not 
only change the operation of the program but also make the 
program analysis easier. The OS can store arbitrary state of 
the appKcation so that it, is possible to analyze the operation 
of the program by rewriting the register values and operating 
the program repeatedly. In addition to the above described 
fimctions^ the processor has a debugging support function 
such as a stepwii^e execution, and there has been a problem 
that the OS can analyze the application by utihzing all these 
functions. 

As far as data are concerned, U.S. Pal. No. 5,224,166 
asserts that the program can access the encr>'pted data only 
by the prt^am execution using the encrypted code segment. 
Here, there is a problem that the encrypted data can be freely 
read by the encrypted program by using arbitrary key, 
regardless of the encryption key by which the program is 
encrypted, even when there are programs encrypted by using 
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mutually dillerent encryption keys. This conventional tech- 
nique does not account for the case where the OS and the 
application have their own secreU> independently and the, 
secret of the application is to be protected from lhe OS or a 
5 plurality of program providers have their own secrets sepa- 
rately. 

Of course, it is ix>ssible to separate memory spaces among 
the applications and to prohibit accesses to a system memory 
by the applications by the protection futKtion provided in 
^'^ the virtual memory mechanism even in the existing proces- 
sor. However, as long as the virtual memory mechanism is 

tmder the management of the OS, the protection of the secret 
of the application cannot rely on the function under the 
management of tlwj OS. This is because the OS can access 
data by ignoring the protection mechanism, and this pri\i- 
Icgc is indispensable in providing the virtual memory func- 
tion as described above. 

As anoLher conventional tecbmqiie, Japanese Patent 
Application Laid Open No. 11-282667 (1999) discloses a 
technique of a secret memory provided inside the CPU in 
order to store the secret iolormaliuo of the application. In 
this technique, a prescribed reference value is required in 
order to acce.ss data in the .secret memory. However, Ihis 
reference faUs to disclose how to protect the reference value 
for obtaining the access right with respect to the secret data 
lium a plurality of programs operating in the same CPU, 
esi^ecially the OS. 

Also, in U.vS. Pat. No. 5,123,045, Ostrovsky ct at. disclose 
a system that presupposes the use of sub-processors having 
tmique secret keys coircsponding to the applications, in 
which tlic operation of the program cannot he guessed from 
the access pattern by which these sub-processors are access- 
ing programs placed on a main memory. This is based on a 
mcdianism for carrying out random memory accesses by 
converting the instnictioD system Cor carrying out operations 
with respect to die memory into another instruction system 
dilTeicnt ixom that. 

However, this technique requires different sub-processors 
4]^ for diffetpcnt applications so that it requires a high cost, and 
the impfcmcniation and fast realization of (he compiler and 
processor hardware for processing such instmction system 
arc expected to be very difficult as they arc quite different 
firom those of the cunently used processors. Besides that, in 
45 this type of processor, it becomes difficult to comprehend 
correspondences among the data contenUi and the operations 
even when the data and the opciatx>a5 of the actually 
operated codes are observed and traced so that tlie debug- 
ging of the program becomes very dilCcull, and therefore 
this tecbm'quc has many practical problems, compared with 
the other conventional technic] ues described above in which 
the program ccnles and the data are simply encrypted, such 
as those of U.S. PaL No. 5,224,166 and Japanese Patent 
Application Laid Open No. 11-282667. 

SUMMARY Ob INVEN HON 

Therefore the liisl object of the present invention is to 
provide a microprocessor capable of surely protecting both 
the internally executed algorithm and the data state inside a 
00 memory region from illegal analysis in the multi-task envi- 
ronment even when the execution is stopped by the inter- 
ruption. 

This liret object is motivated by the fact that the conven- 
tional techniques are capable of protecting values of the 
0$ program codes but arc incapable of preventing the analysis 
utilizing the iuterrupiicm of the program execution by the 
exception occurrence or the debugging function. Thus the 
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present invention aims al pruvulmg a microprocessor 
capable of surely protecting tlie codes even at a time of the 
program execution inlerruptioD, in wliich this protection is 
compel lible wiih boib the execuiioD conirol funciion axul the 
memory management function required by the ciirceut OS. 

The second object of the present mveniion is to provide a 
microprocessor in wincli cacti program can secure a cor- 
rectly readable/writable data region independently even 
wben a plurality oi' programs encrypted by using ditlerent 
encryption keys are to l)e executed. 

'this second object is moLivaLed by the fact Ibat the 
conventional technique of U.S. Pal. No. 5^24,166 only 
provides a simple protection in wliicti acce«;es to the 
encrypted data region by non-encrypled codes are 
prohiljited, and it has been impossi1)1e for a plurality of 
pmgranis to protect their own secrete independently, ITius 
die present invention also alms at providing a microproces- 
sor which has a data region for pn-jtecting secret of eacli 
application from tlie OS when a plurality of applications 
have their respective (encrypted) secrets. 

'the third oliject of the present invention is to provide a 
microprocessor capable of protecting the protected attri1>utes 
(i.e.,encryi)ted attrilmted) of the above descrilied data region 
from illegal rewriting by the OS. 

Ihis third object is motivated by the fact that the con- 
ventional technique of U.S. Fat. No. .5.224,166 has a draw- 
hack ill that the OS can rewrite the encrypted attrilmtes set 
in the segment register by interrupting the execution of the 
program using tlie context switching. Once the program is 
put in a state where data arc written in a form of plaintext by 
rewriting the encrypted attributes, data will not written into 
a memory without encryption, liven if the application 
checks the segment register value at some timing, the result 
is the same if the register value is rc^Tittcn after that. Thus 
the present invention also aims at providing a microproces- 
sor provided with a mechanism which is capable of prohib- 
iting such an alteration or delecting such an alteration and 
taking appropriate measure agamst such an altcratk>n. 

'the hiiirth object of the present invention is to provide a 
microprocessor capable of protecting the encrypted 
aUrihutes from the so called chosen-plaintext attack of the 
cryptoanalysis theory, in which the program can use arbi- 
trary value as the data encryption key. 

The filth object ol the present invention is to provide a 
microprocessor pnnvkled with a mechanism for the pn^gram 
debug^ng and feeilback. Namely, the present invention 
aims at providing a miciuprucessur in which the debugging 
of the program is carried out in plaintext and the feed1>ack 
of inlbimation cm defects h> piovuled to a program code 
pmvider (program vendor) in the case of the execution 
failure. 

The sixth object of the present invention is to provide a 
microproces.sor capable of achieving the first to fifUi objects 
described above in a form that realizes both a low cost and 
a high performance. 

In order to achkvc the first object, the first aspect of the 
present invention has the following fcamrc.s. The micmpro- 
cessor which is formed as a single chip or a single package 
reads a plurality of programs encrypted by using code 
encryption keys that are difierent for diiferent programs, 
from a memory' (a main memory, for example) external of 
the microprticessor through a bus interface unit thai provides 
a reading lunclion. Adecryplion unit decrypts these plurality 
of read out programs by iising respectively corresponding 
decryption keys, and an instruciion execution unit executes 
these plurality of decrypted programs. 
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In the case ol inlerrupting the execution of some program 
among the plurality of programs, a context information 
encryption/decryption unit that provides an execution stale 
writing function encrypts inlbrmation indicating a stale of 
5 execution up to an interrupted point of ibc program lo be 
interrupted and the code encryptioD key of this program, by 
using an encryption key unique xo the microprocessor, and 
writes the encrypted information as a context information 
into a memory external of the micmpmcessor. 

In the case of restarting the interrupted program, a veri- 
fication unit that provides a restart! i^ function decrypts the 
encrypted context information by usii^ a unique decryption 
key corresponding to the unique encryption key of the 
microprocessor, and restarts the execution of the program 

^•^ only when the code encryption key contained in the 
dccr>'ptcd context information (thai is the code encryption 
key of the program scheduled to be restarted) coincides with 
the original code encryption key of the interrupted program. 

In addition, in onler lo achieve the second and third 
objecis, the microprocessor also has a memory region (a 
register, Ibr example) inside ibe processor that cannot be 
read out lo (he external, <ind an encrypted attribute writing 
unit (an insiruction TLB, for example) lor writing encrypted 
attributes for the processing target data of the program into 
the internal memory, 'ihe encryi>ted attributes include the 
code encryption key of the program and an encryption target 
address range, for example). At least a part of these 
encry])ted attriluites is contained in the c^intcxt information. 

The contexi inrormation encTyplion/decryption unit also 
attaches a signature based on a secret information unique lo 
the micro|irocessor to the context information, in this case, 
the verification unit judges whether die signature contained 
in the decrypted context information coincides widi the 
original signature based on the secret information unique to 
the microprocessor or not, and restarts the interrupted pm- 
gram only when tliey coincide- 
In this way, the stale of execution up to an inlerrupte<l 
point of the encrypted program is stored in the external 
memory as ttie context information, while the protected 
attril)utes of tlie execution processing target data are stored 
in die register inside the pmcessor, so that the illegal 
alteration of the data can be prevented. 

In order to achieve the frmrth oliject, the second as^Kct of 

45 the present invention has the following features. The m icm- 
proccssor that is formed as a smglo chip or a single package 
maintains a unique secret key therein that cannot be read out 
to the external, lite Ims interface unit that provides a Heading 
function reads the code encryption key that is encrypted by 

su using a unique public key of the micropnicessor correspond- 
ing to the secret key m advance from a memory external of 
the microprocessor. A key decryption unit that provides a 
first decrj'ption function dccrj'pts the read out code encryp- 
tion key by using the secret key of the micxoproccssor. The 

55 bus interface unit also reads oiu a plurality of programs 
encrypted by respectively dififcrent code encryption keys 
from an external memory. A code decryption unit that 
provides a second decryption funclion decrypts ihese plu- 
rality of read out programs. The instruction execution unit 

(iO executes these plurality of decrypted programs. 

In the case of interrupting the execution of some program 
among the plurality of programs, a random number genera- 
tion mecbaoism generates a raixlom number as a temporary 
key. The context information encrypliou/Xlecrypiion unit 

65 writes a first value obtained by encrypting information 
indicating the execuUou state of the progiam to be inter- 
rupted by using the random number, a second value obtained 
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by cncrj-piing ihis random number by using Ibe cwle encryp- 
tion key of the program to be interrupted, and a third value 
ubiHined by cncrypiiDg this random number by using the 
secret key ul the microprocessor, into ibe external memory 
as the context information. 

In the case of restartir^ the execution of the program, the 
context information encryi>tion/decryption unit reads out the 
context information from the external memory, decrypt the 
random number of the third value c^^ntained in d^e context 
information by using the secret key, and dccrj'pts the execu- 
tion slate information contained in the context information 
by using the dcayptcd random number. At the same time, 
the random number of the second value contained in the 
context information is decrypted by using the code encryp- 
tion key of the program scheduled to be restarted. The 
random munbcr obtamcd by decrypting the second value by 
using the code encryption key and the random number 
obtained by decrypting the third vaUic by using die secret 
key are compared with the temporary key, «nd the execution 
of the program is restarted only v/hoa they coinddo. 

In this way, the context information indicating the state of 
execution up to an iniemipted point i& encrypted by using 
the random number that is generated at each occasion of Ihe 
storing, and Ihe signature using the secret key unique to ihe 
microprocessor is attached, so that the context information 
can be stored in the external memory safely. 

In onJer to achieve the first to third and sixth objects, the 
third aspect of the present invention has the following 
features. iTie inicropmcessi>r that is formed as a single chip 
or a siDgte package reads out a plurality of programs 
encrypted by using the encryption kc\^ that arc different for 
different pmgranis, and executes them, 'this microprocessor 
has an internal memor>' (a register, for example) that cannot 
be read nut to the external, and stores the encrypted 
attributes for data to be rcfcncd from each program (that is 
the processing target data) and tbc encrypted attribute spcci> 
lying inibrmation into the rcgUler. The context information 
cncryption/dccrypcioD unit writes a related information that 
is related to the encrypted attribute specifying information 
stored in the rcgistcTand containing a signature unique to the 
microprocessor, into tbc external memory. Aprotcction table 
management unit reads the related information from the 
external memory according to an address ol the data to be 
referred by the program. The veriilcation unit verifies Ihe 
signature contained in the read oul relale<1 information by 
using the secret key, and permits the data referring by the 
program according lo the encrypted attribute specifying 
information and the read oul related inibrmation only when 
that signature coinckles with Ihe signature uni&|ue to Ihe 
microprocessor. 

In this configuration, the information to be suved in the 
internal register is attaclied with the signature and stored into 
the external memory, and only the necessary jx^rtion is read 
out to the niicroproces.sor. 'Ilie signature is verified at a time 
of reading, so that the safety against the substitution can be 
secured, liven when the number of pn>grams to be handled 
is increased and the number of the encrypted attributes is 
increased, there is no need to expand the memory region 
inside the microprocessor so that a cost can be reduced. 

According lo one aspect of the present invention there is 
provided a microprocessor having a uaiquc secret key aod a 
unique public key corresponding to the unique secret key 
that cannot be read out to external, comprising: a reading 
xmit configured to read out a plurality of programs encrypted 
by using dillcrent execution code encryption keys from an 
external memory; a decryption unit configured to decTypt the 



30 



35 



55 



60 



05 



plurality of programs read oul by the reading unit by u.sing 
respective decryption keys; an executk)n unit configured to 
execute Ihe plurality of programs decrypted by the decryp- 
tion unit; a context information saving unit conligured lo 
save a context information for one program whose cxeaition 
is to be interruple^t, into the external memory or a conlexl 
information memory provided inside the microprocessor, 
the context information containing information iudicnting an 
execution state of the one program and the execution code 
encryinion key of tlie one program; and a restart unit 
configured to restart an execution of the one program by 
reading out the context information from the external 
memory or the context information memory, and recovering 
the execution state of the one program from the context 
information. 

Other features and advantages of the present invention 
will become apparent from tbc following description taken 
in conjimction with tbc accompanying drawings. 

BRlEf DESCRIPIION OF IHE DRAWINGS 

FIG. 1 is a block diagram showing a system incorporating 
a microprocessor according to the lirst embodiment of the 
present invention. 

I-I(t. 2 is a diagram showing an entire memory space used 
in the microprocessor of FIG. 1. 

I Ki. 3 is a block diagram showing a basic configuration 
of a microprocessor according to the second embodiment of 
the present invention. 

FIG. 4 is a block diagram showkg a detailed configura- 
tioD of the microprocessor of FIG. 3. 

FIG. 5 is a diagram showing a page directory' and a page 
labfe format useil in Ihe microprocessor of FIG. 3. 

FIG. 6 is a page table aod a key entry format used in the 
microprocessor of !■)(•. 3. 

FIGS, 7A and 7B are diagrams respectively showing 
exemplary data l'>efore and after interleaving used in the 
microprocessor of FIG. 3. 

FIG. 8 is a diagram showing a llow of information Ibr a 
code decryption processing to be carried out in tbc micro- 
processor of FIG. 3. 

I-IO. 9 is a diagram showing a CPU register used in the 
microprocessor of FIG. 3. 

I'Ki. 10 is a diagram showing a ointext saving format 
used in the microprooessor of FIG. 3. 

FIG. 11 is a flow ciiart for a protection domain switching 
procedure to be carried out in the microprocessor of FIG. 3. 

FIG. 12 is a diagram showing a flow of information for 
data encryption and decryption processing to tx: carried oul 
in the microprocessor of FIG. 3. 

FIG. 13 is a diagram conceptually showing a process of 
execution control within a protection domain by the micro- 
processor of FICj. 3. 

l-Ki. 14 is a diagram concepmally showing a process of 
call up and branching from a protection domain to a oon- 
protection domain by the microprocessor of FIG. 3. 

FIG. 15 is a diagram showing a context saving format 
used in a conventional processor. 

DETAILED DESCRIPTION OF THE 
PRtiFERRLII) UMMODlMliN TS 

Referring now to FIG. 1 and FIG. 2, the first embodiment 
of a tamper resistant microprocessor accoEiling to Ibe preseni 
invention will be descril>ed in detail. 
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This lirsl embtxlimenl is clirecled lo a microprocessur for 
prolccling secrets of Ihe program inslruclions (execution 
codes) and the context information (execution state) which 
are to l)e provided in encrypted forms by using the |iublic 
key (asymmelric key) cryptosystem, liom a user of a target 
system. 

FIG. 1 shows the target syslem, where a microprocessor 
2101 of ibt; target syslem is cunoecled to a mam memory 
2103 through a bus 2102. 

As showtt ID FIG. 1, in this embodiment, the micropro- 
cessor 2101 has a register flic 2111, an instruction execution 
unit 2112, an inslrucliuD buQcr 2113, a public key desciyp- 
lion function 2114, a secret key register 2115, a common key 
decryption function 2116, a common key register 2117, a 
lUU (HuA Interface Unit) 2118. a register buffer 2119, a 
public key register 2120, an encryption function 2121, a 
decryption function 2122, and a previous common key 
register 2123. which will be described in further detail 
below. 

First, the terms to be used in the following description will 
be described, and the operation of general ojierating system 
(OS) and application programs will be described briefly. A 
program is a set of data and a scries of machine language 
instructions written for some specific purpose. The OS is a 
program for managing resources of tlx; sj-stcm, and the 
application is a program to be c^perated under the resource 
management of the OS. This cmbodinKot presupposes the 
mxdii-task system, so that a plurality of application programs 
will be operated in a quasi parallel manner under (he 
management of the OS. Each one of these programs that arc 
operated in the quasi parallel manner will be referred to as 
a process. Hiere are cases where a set of processes for 
executing the processes for the same purpose will be 
referred lo as a task. 

The instmctkuis and data of the application program arc 
usually stored in files on a secondary memory. They are 
arranged on a memory by a loader of tlie OS and executed 
as a process. The execution of the program is often inter- 
rupted by an exception (or interruption) processing of the 
processor caused by mput/output or the like. A program for 
carrying out the exception processing wiU be reiJt^ned lo as 
an exception handler. The exception handler is usually set up 
by the OS. The OS can process an exception request from 
the hardware, interrupt the operation of fiie application and 
restart or start Ihe operation of another appHcalion at arbi- 
liary liming. The interruptions of Ihe process include tran- 
sitory cases where the execution of the original process is 
restarted without switching processes after the execution of 
the exception handler, and cases requiring Ihe process 
switching. Examples of the former include a sample timer 
increment and examples of the latter include a virtual 
nienx)ry processing due to tlie page exception. 

The object of this cmbodiojcnl is to protect the program 
instructions (execution codes) and the execution state from 
a user of the target syslem who can ixeely read the main 
memory of the target system and freely alter the OS program 
or application programs. 

The basic features for achieving this object arc the access 
control with respea to the information swrage ia^dc the 
processor and the encryption based on the information listed 
below. 

(1) A common key Kx selected by a program creator. The 
application program will be encrypted by the secret key 
cryi>insy.steni using tliis key. 

(2) A pair of a unique public key Kp and a unique secret 
key Ks provided inside the processes. The public key can be 
read out by the program by using instructions. 
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(3) An encryption key information in which the uummon 
key Kx of the program Js encrypted by using the public key 
Kp of the processLir. 

[Lixecution of a Plaintext Program] 
^ '111 is prix:efisor is capable of executing a program with 
cocxistiiig plaintext instructions and encrypted instiuctions 
which is placed on the main memory. Here the operation 
inside the CPU for the execution of a plaintext program will 
be described with references to FIG. 1 and a memory 
^'^ arrangement shown in FIG. 2. 

FIG. 2 shows an entire memory space 2201, in which 
programs are placed in regions 2202 to 2204 on the main 
memory, where regions 2202 and 2204 are plaintext regions 
while a region 2203 is an encrypted region. A region 2205 
stores a key inlbrmalion to be used in decr3rpling the region 
2203. 

The execution of the pivtgram is started as the coniA'>l is 
shifted from tlie OS by an instruction for jump to a uip X of 

20 the program or the like. The instmction execution unit 2112 
executes tlie instruction for jump to X, and outputs an 
address of the instruction to the HIU 2118/l>ie content of the 
address X is read through the bus 2102, sent from the RIU 
2118 to the instruction buffer 2113, and sent to the instmc- 

25 tion execution unit 2112 where the instruction is executed. 
Its operation result is reflected in the register file 2111 . When 
the operation target is reading/writing with respect to an 
address on the main memory 2103, its address value is sent 
to the niU 2118, that address is outputtcd from the BTU 2118 

JO to the bus 2102, and data reading/writing with respect to the 
memory is carried out. 

The instruction builcr 2113 has a capacity for storing two 
or more instructions, and the instructions corresponding to a 
size of Ihe instruction bu Her 2113 are collectively read out 

5>S £rom the main memory 2103. 

[Lxecution of Lncryx>ted Instructions] 

Next, the ca.se of executing an encrypted instruction will 
be described. 'Ilie processor of this embodiment has two 
states including the execution of plaintext instructions and 
tlie execution of encrypted instructions, and two types of 
instructions for controlling these states are provided. One is 
an encryption execution start instruction for making a tran- 
sition fiom the cxccutk>n of plaintext instructions to the 
execution of encrypted instructions, and another is a plain- 
text rctum instruction for making a reverse transition. 

[Encryption Execution Start Instruction] 

The encryption execution start instruction is denoted by 
the following mnemonic "execenc" and takes one operand: 

^'^ execenc keyaddi* 

where "kcyaddr"* iixlicatcs an address where the key infor- 
mation to be used in decry|iting tlie subsequent instructions 
is stored. 

55 [Key Information] 

Here, the key mfonnation and the program encryption 
will be described. The cncr^'ptcd region 2203 comprises a 
sequence of encrypted injuructions. The instructions arc 
subdivided into blocks in units of a prefetch queue size and 

60 encrypted by the secret key algorithm such as DES (Data 
Encryption Standard) algorithm. A key to be used in Ibis 
encryption will be denoted as Kx hereafter. Since the secret 
key algorithm is used, Uie same key Kx is also used for the 
decryption. 

OS If tliis Kx is placed on the main memory in a plaintext 
ibrm, a user who can operates the OS of the target syslem 
can easily read it and analyze the encrypted program. In 
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ortler lo prevenl this, E^-^£Kx] oblained by encrypting Kx by 
using Ihe public key of ihe processor will be placed in ihe 
region 2205 of the memory. A top address of this region is 
indicated by **keyaddr". 

Il is ciyplographically (cumpiitaliooally) impossible lu 
decrypt Kx from E^^Kx] unless one knows Ks correspond- 
ing to the public key Kp. Oinscqueiitly, tlie secret of the 
program will never Ims leaked to the user as long as tlie user 
of the taigct system docs aot know Ks. This Ks is stored in 
a form that cannot be read out from the cxtcraal, iosidc the 
processor. 'Ilie pAxrcssor can decrypt Kx internally without 
allowing ihe user lo learn about it, and the processor can also 
decrypt the encrypted program by using Kx and execute it. 

In the following, the encryption execution start instruction 
and the subsequent I be execution of the encrypted instruc- 
tion will be described in detail. I)y the execution of the Jump 
instruction in a region 2207, the control is shifted ti^ the 
encryjition execution start itistruction at the address *' start". 
At the address indicated by the operand ''kcyaddr" of the 
encryjition execution start instruction, the content of the 
specified region 2205 is read out to the Instruction cxecutJon 
unit 21 12 of the processor as data, llie Instruction execution 
unit 2112 sends this data £^£Kx] to the public key decryp- 
tion function 2114. 'i*he public key decryjition function 2114 
takes out Kx by decrypting ii^JiKx] by using a secret key Ks 
unique to the processor which is stored in the secret key 
register 2115, and stores it in the common key register 2117. 
Then, the processor enters the encrypted instruction execu- 
tion state. 

HcrCp it is assumed that the processor package is manu- 
factured such that the contents stored in the secret key 
register 2115 and the common key register 2117 cannot be 
read out to the cictcmai by the program or the debugger of 
the processor chip. 

By executing Ihe encryption execution start instrucdon, 
the key to be used in decrypting the subsequent inslnictions 
is stored into the comnoon key rejpsler 2117, and ihe 
processor is entered into the encrypted inKtriiclion execution 
stale. When the processor is in the encrypted iustruaioa 
execution state, the inslructions read liom ihe main memory 
2103 are sent from ihe BlU 2118 lo a common key decryp- 
tion fu action 2116, decrypted by using ihe key inTormaiion 
stored in the common key register 2117 and stored into the 
iastniction buffer 2113. 

In this embodiment, ihe program encrypted by using the 
key Kx which is stored in the region 2204 next to the 
encryption execution start instruction will be decr3npied, 
stored in the inslniclion buHer 2113, and executed. The 
reading is carried out in units of a size of the instruction 
buffer 2113. 1-IG. 2 shows an exemplary case where the size 
of the instruction buffer 2 1 13 is 64 bits and four instructions 
of 16 bits size each are collectively read out to tho instruc- 
tion buffer 2113. 

[Plaintext Return Instruction] 

'Hie proocflsor in the encrypted instruction execution state 
returns to the plaintext instruction execution state hy the 
execution of the plaintext return instruction. 

The plaintext return instructioa is denoted by the follow- 
ing mnemonic: 

exitenc 

which lakes no operand. By execution of Ihis insliuclion, the 
reading of the instructions from the main mcut^ory 2103 is 
carried out through a palh that does not pass through the 
common key decryption lunclion 2116, and the processor 
returns to the execution of the plaintext instructions. 

Note thai when Ihe encryption execution start instruction 
is executed again during the execution of the encrypted 
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instruction, the instruction decryption key is changed such 
that ihe subsequent instructions are decrypted by using a 
different key and executed. 

[Oxitcxt Saving and Attack Against It] 

5 Next, the sale saving of the execution stale in order lo 
protect the secret of the application program in the multi- 
task environment will be descril>ed. 

The register flic 2111 of this processor has 32 general 
puq)ose registers (KO to K31). K31 is used as a program 
counter. 'Ilie contents of the general purpose registers arc 
stoicd in the register file 2111. When the exception occurs 
during the execution of the encrypted program as described 
above^ the contents of the register file 2111 are moved to the 
rcgi.stcr huffcr 2119, and the contents nf the register file 2111 

)5 are initialized by a prescribed value or a random number. 
Then, the value of the conunon key used for decryption of 
the encrypted program is stored in the previous common key 
register 2123. Only when these two t>'pe& of initialization are 
completed, the control is sliiftcd to the exception handler and 

2n the instructions ol the exception hiindler are executed. The 
instmctioos of the exception handler are assumed to be 
non-encrypied. 

By this register lile iniliahzalion lunclion, in the processor 
of this embodiment, the reading of the register values 

25 processed by the encT>pied program by the exception han- 
dler program is prevented even in the case where the control 
is shifted to the exception handler as an exception occurs 
during the execution of the encrypted program. At Ihe same 
time, the contents of the register file 2111 are saved in the 

^0 re^sler buffer 2119, and there is a function Lor recovering 
the register buITer oonlenls and for storing ihem into the 
memory as wiU be described below, so as to enable the 
restart of the encrypted program. 

Now, tlie register contents stored in tlie register buffer 

3<; 2119 cannot be read out directly from the uou-eocrypted 
program of the exception liandler. 'Mie non-encrypted pm- 
grani of the exception handler is only allowed to perform the 
following two operations wiih respect lo ihe register buffer 
2119. 

(1) Recover the register buflvr contents and restart the 
execution of the original encrypted program. 

(2) Lncrypting the register buffer contents and store them 
into the memory^ and execute the OS program or another 
encrypted program. 

45 I n the case of ( I ), when the exception handle r piocessi ng 
such as the increment of the counter is finished, the excep- 
tion handler issued a "^cont" (continue) instruction. When the 
"oonf * instmction is executed, the contents of the register 
buffer 2119 and the previous conunon key register 2123 are 
recovered in the register file 2111 and the common key 
register 2117, respectively. The program counter is con- 
tained in the register file 2111, so that the execution of the 
encrypted program is restarted by setting the control back to 
a point where the execution of the encrypted program was 

55 interrupted. For the decryption of the encrypted program 
after the restart, the value recovered from the previous 
common key register 2123 will be used. Similarly as the 
contents of the register buffer 2119, the program cannot 
rewrite the prcviotis common key register 2123 explicitly. 

The case of (2) corresponds lo Ihe case where Ihe process 
switching occurs at a liming of the execution of the excep- 
tion haoillcr. In this case, the exception handler or a task 
dispatcher of Ihe processor issues a ^''sHvereg'* (save register) 
instruction for saving the contents of the register buffer 2119 

g5 into the memory. Thiii "savereg" inslniclion Ls denoted by 
Ihe following mnemonic: 

fiavcrcg dent 
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ami lakes one operand 'Mesl" iatlica ling an address lo which The original program can be restarted by recovering the 

the register buffer cootcats are to be saved. execution state in the registers. On the other hajid. programs 

When the "'savereg" inslruclion is issued, the conlenLs of other lhan the program that has generated the execution 
the register buffer 2119 and the previous commoD key stale, that is programs encrypled by encryption keys dilTer- 
register 2123 arc encrypted by the encryption function 2121 5 ent from that of the original program or plaintext prc^rams, 
by using the public key Kp of the processor stored in the will be referred to as other programs. 
publickeyregister2120, and saves at an address on the main llie illegal accesses or the attacks with resi»ct to the 
memory 2103 specified by "d est"' through the BIU 2118. 'ITie execution state generated by some original program are 
main memory 2103 is outside the prncesstir so tliat it lias a dctined as an act of directly analyzing tlie execution state on 
possibility of being accessed by the user, but these contents id the memory by some method independently from the opera- 
are encrypted by tlie public key of the processor so thai the tioo of the processor by a third party who docs not know the 
user who does not know the secret key of the processor encry|>tion key of tl« original program, or an act of analyz- 
cannnt learn the register buffer contents. ing the execution state or rewriting the execution state to a 

After the register buffer contents are saved, the OS desired value by a third party utili^ng the other programs 

activates another encryj^ted program by the method 1.5 operated on tlie same processor. 

described above. If aDOtbcr encrypted program is activated In the microprocessor of this embodiment, the execution 

without saving the register hufTer contents, the register state is protected by the fallowing three types of mecha- 

buffer oontents would be rewritten to those of another nisms so as to prevent the Illegal accesses utiti7.lng the 

encrypted program when the execution of another encrypted access to the memory external of the processor or the other 

pmgrani is intermpted, and it would become imjiossible to zo programs. 

restart the original encrypted program as the register buffer First, in this embodiment, the register information is 

contents for the original encrypted program arc lost. saved in the register bu£fcr 2119 when the execution of the 

HcrCy the ntmibcr of the register buffer is assumed lo be encrypted program is interrupted. Tbcn, the register buffer 

one, but it is also possible to provide a plurality of register 2119 and the previous common key register 2123 cannot be 

buffers so as to be able to deal with multiple eicceptions. 25 accessed by any methods other than that using the ^'rcvrrcg*' 

[Recovery Pioocduic] instruction or the "savercg" insmKtk>n, so that the other 

Next a procedure for iccovering the saved execution state programs caimot read their contents freely, 

will be described. In Ihe conventional processor, the register contents at a 

At a lime of restarting the iotcnuptcd application, a time of the exception occurrence can be freely read by the 

dispatcher of the OS issues a "icvrreg" (recover legisler) 30 exception handler program. In the microprocessor of this 

instruction. ThLs "revrreg" instructiun is denoted by Ihe cmbtidiraent, ibe register contents are saved in the register 

following mnemonic: buffer 2U9 so as to prohibit the reading from the other 

TcvriB nJdr programs, and the instruaion for saving the register buffer 

Tcvrieg contents by encrypling them by using the public key of the 

and takes one operand '"addr** indicating an address al which 35 processor is provided sti as lo prevent the peeping of the 

the execution slate is saved. execution stale saved on Ihe memory by the user of the 

When the '*revrreg" instruction is issued, the encrypted system, 

execution state information LS taken out Irom the address ol The second attacking method includes a methcxi for 

the memory speciiied by "addr" by the BIU 2118 of the reading values of the registere contained in Ihe execution 

processor, decrypted by using the secret key Ks of the 4i) state by placing tlie instruction of .some other program 

processor by the decryption funcUoo 2122, and Ihe register known lo Ihe attacker at the same memory acklress as the 

information is recovered in tlie register file 2111 while the original pn^gram such that this other program reads the 

program decryption key is recovered in the common key encrypted execution state. 

register 2117. When Ihe recovery is completed, the execu- In Ihe micruprucessor of this embodiment, the encrypted 

tion of the interrupted program is restarted from a point 4.5 execution state contains the program encrytnion key, and 

indicated by the prc^ram counter. At this point, the key Kx this key will be used in dccryjjting the encrypted program at 

recovered from the execution state information will he used a time of restart. Ilecause of this mechanism, even when the 

for decryption of the encrypted program. other program other than the original program attempts to 

The detail of the saving and the icoovcry of the execution icad the execution state, the key for docs not match so that 

state in relation to tlie interruption of the encrypted program so the program cannot l^e decrypted correctly and the program 

due tn exception has been described above. As already cannotl^eexecutedaccordingtotheintentionof the attacker, 

described above, the cnci>'ptcd programs are safe against Thus the second attacking method is impossible in the 

attacks from the user wlio can operate the OS of the target microprocessor of this embodimenu 

system. This effect cannot be realized by simply encrypting the 

Next, the safety of the above described scheme agamst 55 execution state itseff by the public key of the processor, but 

two types of attacks against the execution state will be can be realized by encrypting the dccryptk)n key of the 

described. original program and the execution state integrally. 

[Attacks Against the Execution State] Note that, in order lo maximize this effect, values of the 

There arc two types of attacks against the execution state registers (RO to R31) and the common key Kx should 

that is generated in a process of the application execution. 60 preferably be stored in the identical cipher block at a time of 

One is the peeping of the saved execution stale by an the encr>'plion using the public key. 

attacker, and the otiier is the rewriting of the execution state [Data Proteciion] 

lo a desired value by an attacker. In the microprocessor of this embtidimeni, Ihe encryption 

Here, the following two terms lor expressing the ilkgal of the data is not accounted, but it should be apparent lo 

accesses to the execution state wiU. be defined. First, the 65 those skilled in the art that it is possible to add the data 

program that has generated ihe execution state will be encryption function lo the microprocessor of this embodi- 

referred to as an origind program for that execution state. meot similarly as the data encryption in the microprocessor 
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for supporling the virtual meraorj* which will be described lo this microprocessor. Now, consider the case of purchasing 

in Ihe second embodimenl. a dcsixed execution program A from some program vendor 

Referring now to I'lC;, 3 to l-'KI. 14, the second enibi^i- and executing it. The program vendor encrypts Ihe program 

mcnt of a tamper resistant microprocessor acairding to the a by u.sing a common execution code encryption key Kcode 

picisenl invcnlion wiU be described in detail. 5 (li^^^lAj) before supplying tlie execution program A. and 

Id this embodiment the miciopioccssor according to the common kev Kcode used a>r encryption in a form 

present mvcntion will be descrnjed for an exemplary case of cncryined bv usi ng tl» public kcv Kp of the m icroproccssor 

using an architecture Wd on the widely used JVnt.um Pro (L [Kcode]) to die mkiopa-icessor 101. 'l4 micm- 

pucroproccssor of the imd corporation, but the present p„Js.^^r lOl is a multUaivkpro^ssorwhich pmcesses ,u.^ 

mvcDtionis not hmitcd lo this particular architecture. In the 1 a 1 • 1 i. 1. i? 

following description, features specific to the Pentium Pro ''i? ^^'^ P^^eram A but also a phirahty ot 

microproce.s.sor arcbilcclure will be noted and applications diftexent encrypted programs in a quasi parallel manner (that 

to the other architectures will be mentioned. allowmg mterniptions). Also, the micn:)proces«>r 101 

Note that the Pentium Pro architecture distinguishes three obviously executes not only the encrypted programs but also 

types of addresses in Ihe address space including physical plamitxl programs. 

addresses, linear addresses and logical addresse.s. but Ihe llie microprocessor 101 reads out a plurality of programs 

linear addresses in the Pcntmm terminology will also be ciK»>'ptcd by using different execution code enciyptioii keys 

referred to as K^gkral addresses in this embodiment. from a main memory 281 external of the rTncropix)ces.sor 101 

Id the Ibllowing description, the prulecLion implies Ihe through the bus Interface unit (reading function) 112. ilie 

pruleciioa of secrets of applications (that is the proieaion by execution code decryption unit 212 decrypts these plurality 

encryption), unless otherwise stated. Oinsequently, the pro- in of read out programs by using respectively corresponding 

tcctioD in this embodiment should be clearly distinguished decryption keys, and the iDStruction execution unit 115 

from the ordinarily used concept of protection, that is the executes these plurality of decrypted programs, 

prevention of disturbances ou the opcratious of the other Inthccaseofintemiptiug the execution of some program, 

applications due to the operation of some application. the context information encryplioa'dccryption unit 254 of 

However, in the present invention, it is assumed that the 25 the exception processing unit 131 encrypts information 

operation protection mechanism in the ordinary sense is of indicating the execution state up to an interrupted point of 

course provided by the OS (ahhougti the description of this the program to be intcnuptcd and the code encryption key of 

aspect will be omitted as ii is unrelated 10 the present this program by using the pubhc key of Ihe microprocessor 

invention), in parallel to the protection of secrets of appH- 101, and writes the encrypted informatioD imo the main 

cations according to the present inventioD. ^0 memory 281 as Ihe context information. 

Also, in the following description, a machine language In the case of restarting the iolcrrupte^l program, the 

mstructions that arc executable by the processor will be execution code encryption key and signature verification 

referred to as iastniciions, and a plurality of instructions will unit 257 decrypts ihe encrypted context information by 

be colleclively referred lo as an execution code or an u.sing the secret key of Ihe micrtiprocessor 101, verities 

instruction stream. A key used in encrypting the instruaion 35 whether the execution code encryption key conuinetl in the 

stream will be referred lo as the execution code encryption decrypted context inlorraalion (that is the execution code 

key. encryptionb key of ihe program scheduled 10 be restarted) 

Also, in the following description, the secret protection coincides with the original execution code encr>'plion key of 

mechanism will be described as protecting secrets of appli- Ihe inlerrupled program, and restarts the execution of the 

cations under die management of the OS, Init this mecha- 40 program only when they coincide. 

nism can also be utilized as » mechanism for protecling the Here, before describing the detailed coniigu ration and 

OS itself from alteration or analysis. fuiKtions of the microiirocessor 101, the prix;essing proce- 

l-Ki. 3 shows a basic configuratkui of the microprocessor dure for the executk>n of plaintext in.Mnictions and the 

according to this embodiment, and FIG. 4 shows a detailed execution of encrypted prugraois by the micToprocessor 101 

configuration of the microprocessor shown in J<1(j. 3. 45 will be outlined. 

Hlie micropn-Kressor tOl has a processor core 111, an When the microprocessor 101 executes a plaintext 

instruction 'VIM (Vtihlc l/ioloip liuffer) 121, an exception instruction, the instraction fetch/decode unit 214 attempts to 

pmcessingunit131, adata'H.HCrablelxxjkup ISufTer) 141, read the content of an address indicated by a program 

a secondary cache 152. The processor core III includes a bus counter (not shown) from an LI instruction cache 213. If the 

interface unit 112, a code and data encryption/decryption 5i» content of the specified address is cached, the instruction is 

processing unit 113, a primary cache 114, and an instruction read nut from the l;l instruction cache 213, sent to the 

execution unit 115. instruction table 215, and executed. The instruction tabic 

'Hie instruction execution unit 115 furtlier includes an 215 is capable of executing a plurality of instmctions in 

mstruction fctch'decodc unit 214, an instruction tabki 215, parallel, and requests reading of data necessary for carrying 

an instruction execution switching unit 216, and an mstruc- 55 out the execution to the instruction execution switchmg unit 

tion execution completing unit 217. 216 and receives the data. When the instructioDS arc 

The exception processing unit 131 further mcludes a executed in parallel and their execution results arc 

register file 253, a context information encryption/ dctcnuincd, the execution results arc sent to the instruction 

decryption unit 254, ao exception processing unit 255, a execution completing unit 217. The instruction execution 

secret protection violation detection unit 256, and an execu- go completing unit 217 writes the execution result into the 

tion cotle encryption key and signature veriiicalion unit 257. regisler Die 253 when Ihe operation target is a register inside 

The instruction TLB 121 further includes a page table the microprocessor 101, or into an LI data cache 218 when 

builer 230, an execution code decryption key table bulljer Ihe operation target is a memory. 

231, and a key decryption unit 232. The data TLB 141 The conieni of Itie LI data cache 218 is civched once again 

further iQcliides a protection table management unit 233. 05 by an L2 cache 152 under the control of the bus interface 

The microprocessor 101 has a key storage region 241 for unit 112, and wrillen into the main memory 281. Here, the 

storing a public key Kp and a secret key Ks which are unique virtual memory mechanism is used, where a correspondence 
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between the logical meraor>' aJdress and Ihe physical 
memory address is defined by a page table shown in I'lG. 5. 

The page lablc is » dula slruclure placed on Ihe physical 
memory. The data TLB 141 aclually carries out a c<.>nversion 
fiom the lexical address to die physical address, and at the 5 
same lime manages the data cache. The data TLB 141 reads 
a necessary portion of the table according to a top address of 
tlie table indicated by a register inside the microprocessor 
101, and carries out the ojieratinn for converting the logical 
address into tlie physical address. At this point, only the !» 
necessary portion of the pagp table is read o\it to a page table 
buffer 234 according to the logical address to be accessed, 
rather than reading out the entire page table on the memory 
to the dataTT.n 141. 

'lite basic cache operation is stable regardless of whether 15 
the iastruction& of the piogram arc CDcryptcd or not. Namely, 
a part of the page table is read out to the instruction TT.B 
121, and the address conversion is carried nut according to 
the definition contained theicin. The bus inteif ace unit 112 
reads instmctions from the main mernnry 2S1 or the T.2 zn 
cache 152, and in&tnictions arc stored in the LI instruction 
cache 213. The reading of instructions out to the LI instruc- 
tion cache 213 is carried out in units of a line formed by a 
plurality of words, which enables a faster access than the 
reading in word imits. 25 

The address conversion utilizing the same page table on 
the physical memory is also canicd out for the processing 
target data of the executed instiuciions, and the execution of 
the conversion is carried out at the data TLB 141 as 
described above. 30 

The operation up to (his point is basically the same as the 
general cache memory operation. 

Next, the operation in the case of executing an encrypted 
program will be described. In this embodiment, it is assumed 
that the execution codes for which .scciels are to be protected 35 
are all encrypted, and the encrypted execution codes will 
ako be referred lo as protected codes. In addition, a range of 
the protection by the same encryption key will be referred to 
as a pruleclion domain. Namely, a set of codes protected by 
the same encryption key is belonging to tlic same domain, 4i> 
and cc^>des protected by dillerent encryption keys are belong- 
ing to different protection domains. 

I 'irst, the execution codes of a program encrypted by the 
secret key scheme block cipher algorithm are stored on the 
main memory 281. A method for loading the encrypted 4.5 
program transmitted from a pmgram vendor will be men- 
tioned Iwlow. 

A cipher block size of the execution codes can be any 
vahie as long as two to the power of the bbck size coincides 
with a line si^e that is a unit fbr reading'writing with respect 5i» 
to the cache memory. I lowever, if the block size is so small 
that a block length coincides with an instruction Jcnglh, there 
arises a possibility for analyzing the imtruction easily by 
recording a correspondence between encrypted data and a 
predictable portion of the instmction such as a top portion of 55 
a sub-routine. For this reason, in this embodiment, the 
blocks are interleaved such that there is a mutual depen- 
dency among data in the blocks and the encrypted block 
contains information on a plurality of instruction words or 
operands. In this way, it is made difficult to set a corrcspon- go 
dence between the instruction and the encrypted block. 

FIGS. 7Aand 7B show an example of the interleaving tliat 
can be used in this embodiment. In this example, it is 
assumed that the line size of the cache is 32 bytes and the 
block size is 64 bits (i.e., 8 bytes). As shown in FIG. 7A, 65 
before the interleaving, one word is formed by 4 bytes, so 
that a word A is formed by 4 bytes of AO lo A3. One line is 
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ibrmed by 8 words of A lo H. When this is interleaved in 
units of 8 bytes corresponding lo the block size of 64 bits, 
as shown in h'tCi. 71), AO, HO, . . . , IIO are arranged in the 
first block corresponding to word 0 and word 1, Al, lU, 

HI are arranged in the next block, and so on. 

An attack can be made more difficult by setting a length 
of a region to be interleaved longer, but the interleaving of 
a region with a length longer than Ihe line size makes the 
processing more complicated and lowers the processing 
speed because the decryption/encryption of one cache line 
would depend on reading/writing of another line. 'Ilius it is 
preferable lo set a range for interleaving within a range of 
the cache line size. 

Here the method for interleaving data of blocks is used 
such thai there is a mutual dependency among data in a 
plurality of blocks contained in the cache line, but it is also 
possible to use the other method for generating a depen- 
dency among data blocks, such as die CBC (Cipher Block 
Chaining) mode of the block cipher. 

The decryption key Kcode (which will also be referred to 
as the encryptk>n key hereafter even in the case of decryp- 
tion because the encryption key and the decryption key are 
identical in the secret key algorithm) of the encrypted 
execution codes is dcicrmmed according to ihc page table. 
FIG. 5 and FIG. 6 show a tabic structure of the conversion 
£rom the logical address to the physical address. 

A logical address 301 of the program counter mdicates 
some vahic, and a directory 302 and a tabic 303 constituting 
its upper bits specify a page enir>' 307-/ The page entry 
307-j contains a key entry ID 307->-A; and a key entry 309-/rt 
to be used for decr>'plion of this page is determined in a key 
table 309 according to Ibis ID. The physical address of the 
key table 309 is speciiicd by a key tabk; control register 308 
inside the microprocessor. 

In this coniigu ration, the ID of the key entry is set in the 
page entry rather than setting the key information directly, 
such that the key information in a large size is shared among 
a plurality of pages so as to save a limited size of a memory 
region on the instruction TLB 121. 

In further detail, the page table and key table inlbrmalion 
is stored into the instruction VIM 121 as follows. Only 
portions necessary for the access to the memory is read out 
from the page tallies 306, 307 and 311 to the page talile 
bulfer 230, and from the key table 309 to tlie executktn code 
decryption key table buller 231. 

In a state of being stored on the main memory, a reference 
counter nf the key oliject 309-m which is an element of the 
key table 309 indicates the number nf page tables that refer 
to this key objecL In a state where the key nl^jecl is read out 
to the execution code decryption key table buffer 231, this 
ret^renoe counter indicates the number of page tables that 
refer to this key object and that are read out to the page talile 
buffer 230. Hus reference counter will be used for judge- 
ment at a time of deleting any unnecessary key object from 
the execution code decryption key tabic bufOer 231. 

One of the features of this cmbodhncnt is that the key 
tabic entry has a fixed length but a key length used in each 
table is made variable in order to be able to deal with a 
higlicr cryptoanaljiic power, and specified at a key size 
region of the key table. It implies that the secret key Ks 
unique to the micropioocssor 101 is fixed but the length of 
Kcode to be used for encr>'ption and decryption of the 
program can be changed by the specification of the key 
entry. In order lo specily a position of the variable lenglh 
key, the key entry 3U9-m has a field 309-;7r-4 pointing to the 
key entry, which indicates an address of the key object 310. 

In Ihe key object region 310, the execuliun code encryp- 
tion key Kcode is stored in u form E^Kcode] encrypted by 
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code encryption key Kcotle, a value E^^iKi] 833 in which The known -plainl ex! allack is not la Lai lo Ihe secret key 

tlic key Xr used in encrypting the context is encrypted by algoritluu, but it is still preferable to avoid thJii. I'or this 

using the public key Kp ol the processor, and a signature reason, a random number Kr is generaletl al a random 

^ArJ!™<^^^£<^] using the secrel key Ks of the processor number generation mechanism 252 of the exception pro* 

with respect to them all are placed. Also, a region 801 for a 5 cessiug unit 131 at each occasion of the context saving, and 

link to Ihe previous task that maintains a call up relationship supplied to the context information encryplioD/decryplion 

among taAfcs is saved in a plaintext form in order to enable unit 254. 'I he context information encryption/decryption 

the task scheduling by the OS. unit 254 encrypts the context by the secret key algorithm 

'lliesc execution code eix:ryption and signature generation using ttie random number Kr. Tlien, the value lij»r, ,,j^2jKr] 

are carried out by the context information encryption/ u> 832 in which the random number Kr is encrypted ]>y the 

decryption unit 254 in the exception processing unit 131 same secret key algodtbm using the exeaition code encryp- 

shown in I'lCJ. 4, which is biscd on a function independent tion key Kcode is attached. ITie value lijjKr] 833 is 

from tlie encryption of the pmoessing taigjet data of the obtained by encrypting the random numl^er Kr by the public 

execution codes. At a time of saving the context information key algorithm luCing the public key Kp of the micioproces- 

in the TSS, even if some encryption is specified in an address 1 5 sor. 

of the TSS by the other data cnctyptbn function, this Here, the random number is generated by the random 

specification is ignored and the context informatk>n is saved number generation mechanism 252. In the case wliere the 

in a state in which the context is encrypted. 'Iliis is because program is encrypted, normally there is no change in the 

the encryption attributes of the data encryption function arc program codes so that tbc corresponding plaintext codes 

specific to each protected (encrypted) pmgram so that the ir) cannot be acquired illegally as long as the operation Ls not 

restart of some program caimot depend on that function. analyzed. In this case, there is a need to carry out the 

In encrypting the context, a word in the TSS size region ''ciphcrtcxt>only attack" in order to cryptoanalyzc, so that it 

826 to be rccoidcd in a plaintext form is replaced to a value is very difficult to find the encryption key. However, in the 

"(T. Then, the interleaving similar to that explained with case where the data entered by the user arc to be stored into 

references to FIGS. 7Aand 7B is applied, and the context is 25 the memory by encrypting them, the tiscr can freely select 

encrypted. At Ibis point, the padding 831 is set to a size that the input data. For this reason, it is possible tor the user to 

enables the appropriate interleaving in accordance with the make the ^chosen-plaintext attack^ against the encryption 

encryption bkx:k size. key which is far more eileclivc than the "dpherlext-only 

Hero, the reason for not encrypting the register values attack", 

directly by Ihe public key Kp of ihe processtir or the ^0 Againsllhe chosen-plaintext attack, it is possible to adopt 

execution ccxks encryption key Kcode is to enable the a measure lor enlarging the search space by adding a random 

aiialj'sis of the encrypted context by both tbc program number called *'salt" into the plaintext to be protected, 

vendor and the processor while prohibiting the decrypiioo of However, it is very tedious to implement the saving into the 

the context by ihe user. memory in a form where the "salt" rantk)m number is 

The program vendor knows the execution ctKle encryption 55 incorporated in every data at Ihe application programming 

key Kcxide so that Ihe program vendor can obtain the level, so that this can cau.se the lowering of the programming 

encryption key Kr of Ihe context by decrypting Ej^^^^^J^Kr] eHicu^Dcy and pertbrmance. 

832 by using Kcode. Also, the microprocessor 101 can For llis reason, the random number generation mecha- 

obtain Ihe encryption key Kr of Ihe context by decrypting nism 252 generates the random number (encryption key) lor 

ii/r/I^r] by using the own secret key Ks. Namely, the 4» encryi>iing the context at each occasion of the context 

program vendor can analyze the trouble by decrypting the saving. As the encryiiLion key can be selected arbitrarily, 

context information without knowing tlie secret key of the there ls also an etTect that the safe communications between 

microprocessor of the user, and the micri^proccssor 101 processes or between processes aixl devices can be realized 

itself can restart the execution by decrypting Ihe context faster. This is because the speed for encrypting data by the 

information by using the own secret key Ks. 'llic user who 45 hardware at a time of the memory access is far slower in 

docs not have either key cannot decrypt the saved context general than the speed for encrypting data by the software. 

J nfnrmation. Also, the user who does not know tlie secret key On tlie co ntrary, if the value of the e ncryjUinn key for the 

Ks of the microprocessor 101 cannot forge the context data region is limited Ui a prescrilied value such as that 

information and the signature SArJmessagc] with reject to identical to the execution code encryption key for example, 

^Kco«<J!'^'^] ^aJL^*]' 50 then it l>ecomes Impossible to iLse the data encryption 

In order to enable the mutually independent encryption of function of the processor for the other programs encrypted 

the context information by the program vendor and the by the other encryption keys or the sharing of tbc encrypted 

microprocessor, it is alsi> possible to consider a method for data whh the devices, so that it becomes inipos.sible to take 

encrypting the context informadon directly by using Kcode. advantage of the fast hardware encryption fimction provklcd 

However, m the case where the register state is already 55 in the processor. 

known, there is a possibility for the known-plaintext attack Note that the decryption of the encrypted random number 

against the execution code encryption key Kcode. Namely, Eje,^rf,.[Kr] 832 that takes place at a tunc of the restart and 

when a value of the key for encrypting data is fixed, the the generation of the signature 834 can be based on any 

following probkm arises. Consider the case of executing a algorithm and secret information as long as a condition that 

program which reads a data mput by the user and writes it 00 they can be carried out only by the microprocessor 101 is 

into a working memory temporarily by encrypting it. The salislied. In the above example, Ihe secret key Ks unique to 

data that arc to be encrypted and written into the working the microprocessor 101 (which is also used for the dccryp- 

memory can be ascertained by monitoring the memory, so lion of the execution code encryption key Kcode) is used Ibr 

thai the user can repeat the input many times by changing the both, but respectively diilerent values may be used lor these 

input value and obtain the corresponding encrypted data. 05 purposes. 

This implies thai the chosen-plaintext attack of the ciyp- Also. Ihe saved coniexl contains a Hag indicating the 

toanalysis theory is possible. presence/absence of the encryption, so that the encrypted 
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coQlcxL inlormalion ami Ihe non-<:ncr>pLed ctinlexl inJbrma- 
Uon can coexist according to the need, llic l^JS size and the 
Jlag indicating the presence/absence ui* the encryplion arc 
stored in a plaintext roim so lh<)i ii is easy lo maintjiiii Ihe 
compatibility with respect to the past programs. 

<Proct:stfsing Cor Restarting the Interrupted Paigrara> 

At a time of restarting the process liy recovering the 
context, the OS issues a Jump or call instruction with respect 
to a 'IKS devScrfi)tor indicating the saved 'INS, 

Returning now to M(i. 4, the execution aide eticryption 
key and signature verification unit 257 if the exception 
processing unit 131 verifies the signature message] IJ34 
by using the secret key Ks of the processor first, and sends 
the veriflcation remit to the exoeption pmceftsing unit 255. 
In the case where tlie verification result is failure, the 
cxccptk>n proccssiQg imit 255 stops the rcstait of the execu- 
tion of the program, and causes the exoeption. Uy this 
verification, it Ls possible to confirm that the context infor- 
mation is surely generated by the proper mkroproccssor 101 
tfiat ha.s the secret key and not altered. 

When the vcrificatioD of the signature succeeds, the 
context information cocryption/'ctecryption imit 254 obtains 
the random number Kr by decrypting the context encryption 
^<^y E|Kp[Kr] 833 by tising the secret key Ks. On the other 
hand, the execution code encryption key Kcode oonespond- 
ing to the program counter (EIP) 809 is taken out from the 
page tabic buflOcr 230, and sent to the cuncni code encryp- 
tion key memory unit 251. The context information 
encryption/decryption unit 254 decrypts ^kcojJL^] using 
the execution code decryption key Kcode, and sends the 
result to the execution code encryption key and signature 
verification unit 257. The execution code encryption key and 
signature verification unit 257 verilies whether the decryp- 
ticin result of Ejtr,„^iJ|Kr] 832 ctiinddes with the decryption 
result of the microprocessor using the secret key K.s or not. 
By this verification, il is possible lu ci.>aiirm thai this context, 
inlbrmation is generated by the execution of the execution 
codes encrypted by using the secret key Kcode. 

If Ibis verifioition of the execution code encryption key 
with respect to the context information is not carried out, it 
wouki become possible for the user lo make an attack by 
producing aides encrypted by asing any suitalile secret key 
Ka and applies the context information obtained by execut- 
ing these codes to the codes encrypted by the other secret 
key Kb. 'l*he above verification eliminates a possibility of 
this attack and guarantees tlie safety of tlie context infor- 
mation for the protected codes. 

'Hits object can also be achieved hy adding a secnet 
execution code encryption key Koodc to the context 
information, but in this embodiment, by the msc of the valne 
li^c^^Kr] in which a secret random number Kr used in 
encrypting the context information is encrypted by using the 
execution code encryption key Kcode selected by the pro- 
gram vendor, it is possible to reduce the amount of memory 
required for saving the context information so as to achieve 
the cfiTccts of the fast context switching and the memory 
saving. This also enables the feedback of the context infor- 
mation to the program creator. 

Now, when the verification of the execution code cnciyp- 
tion key and the verification of the signature by the execu- 
tion code encryption key and signature veriilcaLioo unit 257 
both succeed, the context is recovered to the register file 253, 
and the program counter value is also recovered so that the 
control is returned lo an address at a time of the execution 
mterruption that caused to generate this context. 

When either one of these verilicadons fails so that the 
exception processing unit 255 causes the exception lo occur, 
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an exception occurrence address indicates an address ai 
which the jump or call instruction is issued. Ahio, a value 
indicating illegality of the 'IKS is stored into an intermption 
cause field in tlie lOT table, and an address of a jump target 

5 TSS is stored into a register that stores an address that is the 
cause of the intermption. In this way, the OS can icarn the 
cause of the context switching failure. 

Note that, in order to realiw tlie faster restart pmcessing, 
it is also possible to use a configuration in which the supply 
of the execution state encrypted by the context information 
encry|)tinn/decryption unit 254 to die register file 253 and 
the verificatioo processing by the execution code encryption 
key and signature verification imit 257 are carried out in 
parallel^ and the subsequent processing is stopped when the 
verification fails. 

The safely of this encryption scheme using a random 
niuobcr depends on the impossibiUty to predict a random 
number sequence used, and a method for generating by 
hanlware a random number thai is very hard to predict is 
disclosed in Onodera, et al., JapHnese Patent No. 2980576. 

2jn The analysis of the context information hy the program 
vendor is important in improving the quality of the program 
by analyzing the causes of any trouble in the program that 
occurred according to a conditk>n by which the program is 
used by the user. In this embodiment, m view of this fact, the 

25 above described scheme for realizing both the safety of the 
context and the capability of the context inlbrmation analy- 
sis by the program vendor is employed, but it is also true that 
the use of this scheme increases the overhead of the context 
saving. 

30 Moreover, the verilication of the context information by 
u.sing the signature made by the microprocessor prevents the 
execution of the protected codes in the illegal context 
information by using a combination of arbitrarily selected 
value and encryption key, but this additional protection also 
increases the overhead. 

Consequently, in the case where there is no need for the 
capability of the context inlbrmation analysis by the pro- 
gram vendor or a mechanism for eliminating the program 
restart using the Illegal context informalion, the context 

41) information containing information for identifying the 
execution code ent^yplion key may be directly encrypted by 
using the secret key of die processor, liven in such a case, it 
is still possi1>le to make the intentional aheration of the 
context cryptographically impossible, and prevent the con- 

« text information from being applied to a program encrypted 
by using a different encryption key. 

I lere, the context saving format will he described further. 
Its relationship whh the ojieration will lie described later. 
In FIG. 10, an ''R" bh ^25-1 is a bit indkating whether the 

si> context is restartable or not. When this bit is set to ''I", the 
execution can be nestarted by recovering the state saved in 
the context by the above described recovery procedure, 
whereas when this bh is set to "()", the restart cannot lie 
made. This has an effect of preventing the restart of the 

55 context in which the illegality is detected during the execu- 
tion of the encr>'ptcd program so as to limit the restartable 
contexts to only those in the proper states. 

A "U" bit 825-2 is a flag indicating whether the TSvS is a 
user TSS or a system TSS. When this bit is set to **Cr**, the 

60 saved TSS is the system TSS, and when this bit is set to " 1", 
the savetl TSS is the user TSS. The TSS that will be saved 
and recovered through the task switching accompanied by 
the change of ihe privilege from the exception entry as 
described above or ituuugh a task gate call up is the system 

as TSS. 

The dilE&rence between the system TSS and the user TSS 
lies in whether a task register indicating a TSS saWng 
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localiuD ul' ibe currenlly execuled pru^am i& lu be iipdaieil 
or Dol ai d lime of ihe recovery of I he TSS. In Ihe recovery 
of the system 'IISS, the task register of tlie currently executed 
pmgram will be saved in the link to the previous task region 
801 of Ihe TSS to be newly recovered^ and the .segmeni 
selector of the new TSS will be read into the task register. On 
the other hand, in the recovery of the user 'ITSS, the update 
nf the task register value will not he carried nut. 'Ihe user 
TSS is aimed only at the saving and the rocovciy of the 
register state of the program so that it is not accompanied by 
tlie change of the privileged mode. 

The exception includes a soft ware inlerrupl use<l for Ihc 
system call up from the application program. In the case of 
the software interrupt for the purpose of the system call up, 
Ihe generdl purpose register is often used for Ihe parameter 
exchange, and there uin be cases where Ihe context infor- 
mation caoryption can obstmct the parameter exchange. 

The software interrupt is generated by the apjilication 
ilself, so that it is posi^le for Ihe applicalion to destroy 
infunualion of the registers thai have setavis, prior to Ihe 
generation of the softwarB interrupt. Uixter the presumption 
of such oonditions, it is possible to use a scheme in wliich 
the encryption of the registers is not carried out only in the 
case of the software interrupt. Of course, in such a case, the 
application program creator should take this fact into oon- 
skiciation and design the program such that die secrets of the 
program can be protected. 

Kext, tbc suppression of the plaintext program debugging 
fuDciion will be described. 

The processor has a stop execution function which causes 
Ihe inLerrupiion whenever one instruction is executed, and a 
debugging function which causes the exception whenever a 
memory access with respect to a specific address is made. 
These fimciions may be useful Jbr the development of 
programs but they can impair the safely of programs thai are 
encrypted for the purpose of the secret protection. 
Consequently, in the microprocessor of this embcKlimenl, 
such debugging functions are suppressed dutii^ the execu- 
tion of the encTvpled program. 

The inslruclioQ TLB 121 can Judge whether Ihe currently 
executed code ispmtected or not (encrypted or not). During 
the execution of Ihe protected code, two debugging func- 
tions including a debug register fiiixition and a step execu- 
tion function are prohibited in order to prevent an intrusion 
of ttie encrypted program analysis from a debug llag or a 
det)ng register. 

'Hie debug register -function is a function in which a 
memory access range and an access type such as reading/ 
writing as tlie execution code ot data are set in advaiKe into 
a debug register provided in the processor such that the 
interruption is caused whenever a corresponding memory 
access occurs. In this emhodhnent, during the execution of 
the protected code, the contents set in the debug register will 
be ignored so that the interrupt k>n for the puqxise of the 
debugging will not occur. Note however that the case where 
a debug bit is set in the page table is excluded from this ruk. 
The debug bit in the page table will be described later. 

Diuing the execution of a noo-proiccicd (plaintext) code, 
the interruption will be caused whenever oric instruction is 
executed if a step execution bit in an EFLAGS register of the 
processor is set, but during the execution of the protected 
code, thLs bit will also ha ignoretl so that the inlerruplion will 
not occur. 

In this embodiment, in addition to the encryption of the 
execution codes lor the purpose of preventing the analysis, 
these functions make the analysis of tbc program by tlic user 
diillculi by preventing Ihe dynamic analysis of the program 
using the debug register or ihe debug llag. 
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<Dala Prc»leclion> 

Next, the protection of ibc processing target data of the 
execution ctxles will be described. 

In this embodiment, the encTyption allribuies for prolect- 

5 ing data are defined in four registers CVO to CY3 that arc 
provided inside the microprocesst^r 101. They correspond to 
regions 717 to 720 shown in I'KJ. 9. In J Ki. 9. details of the 
registers CYO to CY2 are omhted, and only details of the 
register (^Y3 are shown. 

ii» lilcments of the encryption attribute will now be 
described by taking the CY3 register 717 as an example. 
Upi^r bits of the logical address indicating a top of the 
region to l)e eiKrypted are specified in a base address 717-1. 
The size of the region is specified in a size region 717-4. A 

15 si7£ IS specified in units of the cache line so that there is an 
invalid portion at the lower bits. A data encryption key is 
specified in a region 717-5. Here the secret key algorithm is 
used so that the region 717^ is also used for the decryption 
key. When a value of tbc encryption key is specified as 

zn it Imphes that the region indicated by diat register is not 
encrypted. 

Among the specifications of the regions, CYO is given the 
highest priority, and CYl to CY3 arc given sequentially 
lower priorities in this order. For example^ When tbc regions 

25 specified by CYO and CYl overlap, the attributes of CYO are 
given the priority over those of CYl in that region. Also, the 
definition of the page table is given the highest priority - in the 
case of a memory access as the execution code rather than 
as the processing target data. 

30 A tlebug bit 717-4 is used in selecting whether the data 
operalion in the debugging state is lo be carried out in an 
encrypted state or in a plaintext state. Details of the debug 
bit will be described later. 

FIG. 12 shows the information flow in the encryption/ 

35 decryption of the processing large! data of the execution 
codes. Here, the data protection Ls made only in I be stale 
where the code is protecle<U ihat is the code is executed in 
an encrypted sute. Note however that die case where the 
code is executed in Ihe debugging slate Lo be described 

41) below will be excluded from this rule. When the code is 
protected, the contents of the data encryption control regis- 
ters (which will be also referred to as the encryinion attribute 
registers or the data protection auribme registers) CYO to 
CY3 are read from the register file 253 shown in FIG. 4 lo 

AS a data encryption key table 236 provided inside the dau '11 M 
141. 

When some instruction writes data into a kigkal address 
^Addr", the daU TIM 141 Judges whether the logical 
address "Acklr" is contained in ranges of CYO to CY3 or not 

5i» by checking tlie data encryption key table 235 (see V\G. 4). 
As a result of the Judgement, if the encryption attribute is 
spcdflcd, die data TLB 141 commands the code encryption 
function 212 to encrypt the memory content by the specified 
encryption key at a tunc of the memory writing of a 

55 corresponding cache line firom tbc LI data cache 218 to tbc 
memory. 

Similarly, in the case of reading, if tbc target address has 
the encryption attribute, the data TT.R 141 ooniniands the 
data decryption function 219 to decrypt the data by the 

GO specified encryption key at a time of the reading of a cache 
line out lo the corresponding LI data cache 218. 

In this embodiment, the data encr^'ption attributes arc 
protected from the illegal rewriting including Ihe privQege 
of the OS by placing all ihe data encrj'ption attributes for the 

65 data encryption in the registers inside the microprocessor 
101 and saving the conienus of the registers at a time of the 
execution inLerrupiion as ihe context inlbimation in a safe 
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piucessing can take plnce clirecQy, bul iL' il is a prolecled 
liistnictxoji, there is a need to cariy out tbc cxceptioa 
piocessing while protecting thai inslruclion. 

Consequently, when il is judged as a Dun-pTolecied 
iiLstnictioo (step 603 NO), the exception processing is car- 
ried oul direclly, whereas when it is Judged as a protected 
instruction (step 6003 YLS), the noh-n&startal>le exception 
processing is carried out wfalle maiotaiaiug the protected 
state. 

Hy this limitation of the control shifting, the direct shift- 
ing of the control from a plaintext code to a code at a 
location otlicr than that of the entry gate instruction is 
prohi1>ited. llie context recovery implies the recovery of the 
state that was already executed once by that program 
through the entry gate. (Tonsequently, the execution of the 
protected program must pass through tbc entry gate. By 
suppressing locatinnR for placing tlie entry gate to tlie 
minimum necessary nuni1>er in the program, tliere is an 
cficct of prcvcaiing ad attack for guessing a program struc- 
ture by executing tlie program from various addresses. 

Also, at this entry gate, the initiafizaticm of the data 
protcctioo attribute registers is carried out. When the entry 
gate is executed, a random munber Kr is loaded into a key 
region (a region 717-5 in CY3) of the data protection 
attribute rcf^stcrs CYO to CY3 717 to 720 shown in FIG, 9 
Tbc encryption target top address is set to "0*\ the size is set 
to an upper limit of the memory, and the entire logical 
jiddress space is set as Ihe encryption target. IT the debug 
attribute is not set in tbc execution cxmIc, the debug bit (717^ 
in CY3) is set as nun-debugging. 

Id olher words, at a liming of the encryplion code execu> 
tion start, all the memory accesses arc encrypted by using 
the random number Kr deiermined at a lime of the eniiy gate 
execution. Also, in (be execution code encryption control^ 
the definition in the page table is given a higher priority as 
already mentioned above. This random number Kr is gen- 
erated independently from the random number used in the 
coolexi encryption. 

By this mechanism, a protected program lo be newly 
executed is set to be always encrypted by using a key 
determined randomly at a lime of the start of all the memory 
accesses. 

Of course, in this state the entire memory region is 
encrypted so that il is impossible lo give parameters of the 
system call through the memory or exchange data with the 
other programs. I'or this reast>n, the program carries out the 
processing by sequentially adjusting its own processing 
environment by setting the data xirotection attribute registers 
siieb that the necessary memory region can be converted into 
plaintext so that it becomes accessible. Hy leaving the 
register <:Y3 with a lowest priority in the initial setting of 
being cnci>'ptcd by using the random number, while setting 
the encryi)tinn key **iY* as the plaintext access setting for the 
other registers, it is possible to reduce a risk of accessing an 
unnecessary region as a plaintext and writing data to be kept 
in secret by encryption out to a plaintext region by cnror. 

The contents of the registers other than tbc data protection 
attribute registers arc not encrypted even in the initialization 
at the entry gate, and pointers for specifymg locations of 
stacks or parameters can be stored therein. However, cares 
should be taken in the processing of the program lo be 
executed through the entry gate so that secrets of the 
program will not be stolen by calling up the entry gate by 
setting illegal values into the registers. 

It is also possible to use a configuration for initializing all 
the registers olher than the ilags and the program counter, 
including the general purpose registers other than (be data 
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protection attribute registers, at the entry gale in the case of 
attaching more importance to the sa£e^, even though this 
provision makes the programming more restricted and the 
eflidency poorer. Even in this case, Ihe parameters such as 

5 stacks can be exchanged through a memory region specified 
by a relative address or an absolute address of the program 
counter. Note however that, similarly as in tlie case of the 
context saving, the system registers iucludiug a part of the 
flag registers and the tasic register are excluded from a taiget 

to of the encryption or the initialization of the registers for the 
sake of continuation of the OS operation. 

In this way, in the microprocessor 101 of this 
embodiment, the fragniental execution of tlie protected code, 
espcciatly tlie illegal setting of the data protection state, is 

15 prevented, as the firsl instruction to l^e executed at a time of 
shifting the control from the program in the plaintext state to 
the protected program is limited to the entry gate instruction 
and the registers including the data protection attribute 
registers are initialized by the execution of the entry gate 

ZD instmctinn. 

Next, the execution control of the protected program will 
be described. First, the call up and the branching that arc 
ck>scd within the protection domain will be described. The 
call up within the protcaion domain is exactly tbc same as 

25 that for tbc usual programs. FIG. 13 shows the call up and 
tbc branching within the protection domain conceptually. 

The execution of the code 1101 in the protection domain 
is started as a thread 1121 outside the protection domain is 
branched into an "egate" (entry gate) mstruction of tbc 

30 prulection domain. By the execution of the "egate" 
instruction, all the registers are initialized, and then the data 
protcaion attributes arc set up sequentially by the execution 
of the program. The control is shiliwi to a branch target 
"xxx" ILU in the protection domain by a "jmp xxx" 

35 instruction (processing 1122), and a "call yyy" instruction 
local e4l at an address '*ppp" 1112 is executed (processing 
1123). The calling source address ''ppp** 1112 is pushed into 
a stack memory 1102, and the control is shilu^d to a call 
target "yyy" 1113. When the processing at the call target is 

40 completed and a "ret'* instruction is executed, the control is 
shifted to a return address '*ppp'* 1112 in the stack. There is 
no limitation on the execution control while the execution 
code encryinion key remains the same. 

Next, the call up and the branching Iiom a protection 

45 domain to a non -protection domain will Ix described. I or 
this control shifting, the execution of a special instruction 
and the o])eratinn of the user'l vSS to be described liclow will 
be carried out in order lo avoid a shifting from a i>rotcction 
domain to a non-protection domain that is not intended by 

51) the program creator and to protect the data protection state. 
I'ltl. 14 shows the call up and tlie branching from a 
protection domain to a non-protected domain conceptually, 
where an execution code 1201 of the x)rotection domain and 
an execution code 1202 of the non-protection domain arc 

55 placed in respective domains. Also, a user TSS region 1203 
and a region 1204 for exchanging parameters with tbc 
non-protection domain arc provided. 

The execution begins when a thread 1221 executes the 
cgatc** instruction. The program of the protection domain 

CO saves the address of the user TSS region 1203 in a prescribed 
parameter region 1204 before calling up the code of the 
non-protection domain. Then, the code of the non-protection 
domain is calleil up by executing the ''ecall** instruction. The 
"ecall" instruction takes two operands. One is a call target 

OS address, and the other is a saving target of the execution 
state. The ''ecall" instniciion saves tbc register state at a lime 
of the call up (or more accurately the register stale when the 
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(xxics, Ibe cunlexl of the execulioD immedijilely beCurc lhal 
is encrypled and saved >\'hile all the applicalioa regislcrs are 
either eiicfvptcd or initialized, and a signature made by the 
processor is attached to tlie »intex1 inFormation. 'ITie signa- 
ture is verilled at a lime o^ recovery irom the inlerruplion, 
to check whether the signaniic is proper or not. When the 
Jmpriiper signature is detected, the recovery is stopped so 
that the illegal alteration of the context information hy the 
user caa be prevented. At this point» the encryption target 
registers arc user registers 701 to 720 shown in FIG. 9. 

In the Pentium Pro architecture, there is a hardware 
mechaoLSiD lor assisting I he saving of the conlexl intbrma- 
tion of the process into the memory and its recovery. A 
region for saving the state is called TSS (Task State 
Segment). In the following, an cxeniplary case of applying 
the present invenliun lo this meebanisni will be described^ 
but the present invention is not limited to the Pentium Pro 
architecture, and equally applicable to any pmcessor archi- 
tectures in general. 

Hie saving of the cunlexl information in conjunclion with 
the exception occurrence takes place in the fnllnwing case. 
When the exception occurs an entry corresponding to the 
inlemiplion cause is read out Irom a table calletl IDT 
(Interrupt Descriptive Tabic) for describing ihc exception 
processing, and the pmoessii^ described there is executed. 
When tlie entry indicates a IKS, the context information 
saved in the indicated TSS is recovered lo the processor. On 
the other hand, the context information of the process that 
has been executed up until then is saved in the 'l>vS region 
specified by a task register 725 at that point. 

Using this automatic context saving mcchaoism, it is 
possible to save the entire state of the application including 
the ]>rogram counter and the stack pointer, and detect any 
alteration at a time of the recovery by verifying the signa- 
ture. However, when this automatic context saving is used, 
apart from the fact that a large overhead will be caused by 
the conlexl switching, there arises a problem lhal il is 
impossible to carry out the ioterruplion processing without 
using the TSS. 

In order to reduce tlie overliead due to the interruption 
processing, or Lo mainlain the compatibility with the existing 
progranis, it is preferable not to u.se tlie automatic context 
saving mecbanism, but in such a case, the program counljer 
will be saved on the stack and cannot be a target of the 
verification, so that it can be a target of tlie aheration by the 
malicious OS. These two cases shouki preferably used in 
their proper ways according to the purpose. I -or this reason, 
the microprocessor of this embodiment adopts tlie automatic 
context saving with respect to the protected (encrypted) 
execution codes as a result of attaching more importance to 
the safety. The registers to be automatically saved may not 
necessarily be all registers. 

'Ibe context saving and recovery processing in this 
embodiment has the foUowing three major features. 

(1) 'the contents of the saved context can l)e decrypted 
only by the microprocessor that generated the context and a 
person who knows the cnciyption key Kcodc of the program 
that generated the context. 

(2) In the case where the program protected by some 
execution code encryption key X is intcrmptcd and its 
coiitext is saved, its restart processing cannot be applied to 
the restart of a non-protected program or a program 
encrypted by another execution cotle encryption key Y 
Kamcly, the program to bo recovered from the interruption 
cannot be replaced by another paigram at a lime of the 
restart. 

(3) The recovery of the altered context is prohibited. 
Namely, if the saved context is altered, that context will not 
be recovered. 
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By the above feature (1), it is possible to mainlain the 
safety of the context information while enabling the analysis 
of the conlexl information by the program vendor. The fact 
that the program vendor has a ri^l to analyze the context 

5 information Is important in order to maintain the quality of 
the program by analyzing causes oi" any trouble lhal 
occurred acairding to a condition by which the program is 
used by the user. 

I be above feature (2) is effective in preventing a situation 

in where an attacker applies the context generated by the 
execution of a program A to another encrypted program 
and restart^; the program \\ from a known state saved in the 
context in order to analyze secrets of the data or tlie codes 
contained in the program T1 or alter the operation of the 

15 pmgram 'Ibis function is also a prerequisite for the data 
protection to be described below in which each one of a 
plurality of applications maintains own encrypted data 
exclusively and independently from the others. 
By the above feature (3), it is possible to strictly eliminate 

20 the alteration of the context information utilizing an occa- 
sion of the restart of the program. 

The reason for providing such a function is that simply 
encrypting the context information according to the secret 
informatk)n of the processor can protect the comcxt infor- 

25 mation from the alteration according to the intention of the 
attacker, but it is impossible to cUmiaate a possibility for the 
random alteration of tbc context that results in the restart of 
Ibe program from a stale wilh random eirc>i!>. 
In the following, the comcxt saving and verification 

30 method incorporating the above three iealures will be 
described in furlher detail. 
<Contcxt Saving Proccssing> 

FIG. 10 shows the context saving format in this embodi- 
ment conceptually. It is assumetl thai the inlemiplion due to 

35 the hardware or software related cause has occurred during 
the execution of the protected program. If the IDT entry 
conres-ponding lo the inierniplion indicates a TSS, the execu- 
tion stale of the pwgram up to that point is encrypted, ami 
savetl as ihe context information in a TSS indicated by the 

41) current task register 725 (rather than the indicated TxSS 
itself). Then, the execution stale savetl in the TSS indicale^l 
by tlie M) r entry is recovered to the processor. If the IDT 
entry does not indicate a 'ISS, only the encryption or the 
initialization of the current registers is carried out, and the 

45 saving into the *1"SS docs not takes place. Of course the 
restart of that program becomes impossible in that case. 
Note however that the system registers including a part of 
the flag registers and the task register are excluded from a 
target of the encryption or the initialization of the registers 

51) for the sake of continuation of the OS operation. 

'fhe contents of the context shown in I Ki. 10 are actually 
interleaved, encrypted in block units and stored in the 
memory. Here the information items to lie saved will be 
described first . At a top, stack pointers and user registers 802 

55 to 825 corresponding to respective privileged modes arc 
provided, and one word 826 indicating a TSS size and Ihe 
presence/absence of the encryption is placed next. This 
indicates whether the TSS in which the processor is saved is 
encrypted or not. Even in the case where the TSS is 

(io cuciyptcd, this region will be maintamed in a plaintext form 
without being encT>'pted. 

After that, data encryption control register (CYO to CY3) 
regions 827 to 830 lhal are added for the purpose of the data 
prolection are placed, and a padding 831 tor adjusting the 

65 size to the block length is placed. Finally, a value ^codA^] 
832 in which a key Kr used in encrypting the context is 
encrypted by the secret key algorithm using the execution 
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Ihe public key algarilhzD iii&ing ihe public key Kp uf ihc 
microprucessur 101. In order lo encrypt data safely io the 
public key algorithm, a large redundancy is necessary, so 
til at a length of the cncryiited data bea^mes longer than a 
lenglh of the original data. Here, lengths ol' Ks and Kp arc 
set to be 1024 bits, a length of Kcodc is set to be 64 bits, 
which is extended to 256 bits by padding, and ii[Kcode] ts 
encry])ted in a length of 1024 bits and stored in tlie key 
object region 310. When Kcodc is so long that it cannot be 
stored in 1024 bits^ it is divided into a plurality o£ bbcks of 
1024 bits size each and stored. 

FIG. 8 sununari'/es the infonDalioD llow in the code 
decryption. A program counter 501 indicates an address 
"Addr" on an encrypted code region 502 on a logical address 
space 502. The logical address "Addr^ is converted into the 
physical address "Addr*" according lo the page table 307 
thai is read out to the instruction TLB 121. At the same time, 
the encrypted code decrypt k>n key CpCcode] is uken out 
from the key table 309, decrypted by using the secret key Ks 
provided in the CPU at a decxyplion Oinclion 506, and stored 
into a curient code decryption key memory unit 507. The 
commoii key Kcodc for the code encryption is cnciyptcd by 
using the public key Kp of the microprocessor 101 by the 
ppogram vendor, and supplied abng with the program 
encrypted by using Kcodc, so that the user who docs not 
know the secret key Ks of the microproocssor 101 cannot 
know Kcodc. 

After the program execution codes arc cnciyptcd by using 
Koode ai>d shipped, the program vendor keeps and manages 
Kcodc safely such that its secret will not be leaked to a third 
parly. 

An en Lire key table 511 and an entire page table 512 are 
placed in a physical memory 510, and their addresses arc 
spedlied by a key table register 508 and a CR3 register 509 
respectively. From the contents of these entire tables, only 
necessary portions are cached into the instruction TLB 121 
Ihrough the bus inLerface unit 112. 
. Now, when a content 503 ct^rresponding to the physical 
address *'Atldr'" as converted by the instruction TLB 121 is 
read out by the bus interlace unit 112, this page is encrypted 
so that it is dccryjited at a code decryiJtioii function 212. Ihe 
reading is carried out in units of the cache line size, and after 
the decryption in 1)1 ock units, the inverse prixrcssing of the 
iiuerlcaving described al>ovc is carried out. Ihc decrypted 
result is stored in the LI instruction cache 213, and executed 
a;^ an instruction. 

Here, the mediod for loading the encrypted program and 
the relocation of the encrypted program will be described, 
l-'or the loading of a program into tlic nicinory, there is a 
method in which a program loader changes an address value 
contained in the execution codes of the program in order to 
deal with achange nf an address for loading thepmgram,but 
this method is not applicable to the encrypted program. 
However, tlie relocation of the encrypted program is pos- 
sible by using a method of realizing the relocation without 
directly rewriting the execution codes by uiilizing a table 
caUcd Jump table or lAT (Import Address Table). 

Further details of the loading procedure and the relocation 
for general programs can be found, for cxampk:, in T,. W. 
Allen et al., 'Trogram Loading in OSF/1, USENIX winter, 
1991, and the loading method and the relocation for the 
encrypted program can be found in Japanese Patent .^>pli- 
cation No. 2000-35898 of the applicants. 

It is possible lo protect the execution codes placed on the 
memory external of the processor by the above tkjsciibed 
method for decrypting the encrypted execution codes of the 
program, reading them out to the cache memory inside Ihe 
processor, and executing them. 
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However, the execution codes that are decryple^l into 
plaintext can exist inside the processor. Even if it is impos- 
silile to read them out directly from outside the processor, 
there is a jwssiliility for tlie plaintext program to be read out 
5 and analyzed by the other programs lhat are opera le^l in the 
same processor. 

In this emlxidiment, tlie key decryption processing by 
using the necret key 241 and the key decry|Hion unit 232 of 
the instruction TLB 121 is not carried out at a time of data 
reading into an LI data cache 218. When the data reading is 
carried out with respect to an encrypted page for which an 
encryption Hag 307-J-E is set lo "1** in the page table, eilher 
non-decrypted original data or data of a prescribed value "0** 
will be read out, or else an exception occurs such that the 
normally ckcrypted data canixjl be read out. Note thai when 
the encryption Hag 307-J-E in the page table is rewritten, the 
decrypted content of the corresponding iostmction cache 
will 1^ invalidated. 

By this mechanism, it becomes impossible for the other 
programs (including Ihe own program) to read the execution 
zn codes of the encrypted program as data, and decrypt them by 
utilizing fimctions of the processor. 

Also, the other programs catmot cxplichly read data in the 
instruction cache, so that the safety of the execution codes 
can be guaranteed. The safety of the data will be described 
25 below. 

Because the encrypted execution codes can be executed m 
this way, in the microprocessor of this embodiment, by 
selecting the encryption algorithm and parameters 
appropriately, it can be made cryptographically hnpossiblc 

30 lor a party who does not know the true value of the exeoi lion 
code eocrypliun key Kcude lo analyze the operation of the 
program by dc-a&scmbiing the execution codes. 

Thus the user cannot know the true value of Ihe execution 
code encryption key Kcode, and it can be made cryplo- 

35 graphically impossible for the user to make an alteration 
according lo the user*s intention such as illegal copying of 
the c<.>ntenls handled by the application by allering a part of 
the encrypted program. 

Next, another feature of the inicropr(.K:e.s.sor of this 

41) embiidiment regarding the eiK:ryption, signature and its 
veritication for the context at a lime of interrupting the 
program execution under the multi-task environment will be 
described. 

The execution of the program under the raulli-la.sk envi- 
45 moment is often interrupted by the exception. Normally, 
when the execution is intermixed, a state in tlie pmcessi^r is 
saved on the memory, and tlien the original state is recovered 
at a time of restarting the execution of that program later on. 
In this way, it becomes possible to cxcculc a plurality of 
5n programs in a quasi parallel manner and accept the inter- 
ruption processing. 'Iliis information on the state at a time of 
the intcnuption is called the context information, the context 
information contains information on registers used by the 
application, and in some cases, information on registers that 
55 arc not explicitly used by the application is also contained in 
addition. 

In the conventional processor, when the interruption 
occurs during the execution of some program, the cnntml is 
shifted to the execution codes of the OS while the register 

60 state of the apphcation is maintained, so that the OS can 
check the register slate of lhat program to guess whal 
instructions were executed, or alter the context information 
maintained in a plaintext form during the interruption so as 
to change the operation of the program after the restart of the 

05 execution of that program. 

In view of this fact, in this embodiment, when the 
interruption occurs during the execution of the protected 
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form inlo a memory (the main memory 281 ol' FIG. 4, for 
example) external ul' the micropmcessor 101. 

'llie data encryption/decryption is carried out in units of 
tlie cache line that is interleaved as described alxive in 
relation lu ihe cootexl cncr^'plion. For this reas(.m, even 
wfacn one bit of the data on the Li cache 114 is rcwrittcD, the 
other bits Jn tlie cache line will be rewritten on tlie memory. 
'I Tib execution of the data reading/Writing ts carried nut 
collectively in units of the cache line, so that the increase of 
the overhead is not so large, but it should be noted that the 
reading/writing with respect to tlie eiicryiHed memory 
regions cHnnol be carried oul in unitM less Ihan or equal to Ihe 
cache line size. 

In the above, the method for protecting the data by 
encryption in this embodiment has been described. By this 
melbod, on the main memory, it is possible to process Ihe 
encrypted data by encrypting them inside the processor by 
using the encryption key and the memory range sjiecified by 
Ihe application program, and read/wrile Ibem as plaiolexl. 
data £rom a viewpoint of Ihe applicalion. 

Next, two mechanisms for preventing reading of tlie data 
stored in a plaintext form in the cache memory inside the 
processor by a program other than the encrypted programs 
that has read these data (which will be referred to as the other 
program) will be described. 

First, the program is identified by its coco'ption key. This 
idcndlication is made by using a key object identifier used 
at a time of decrypting the currently executed instruction 
inskle the processor. Here, a value of ibe key itself may be 
used for this identification, but a value of the execution code 
decryption key has a rather large size of 1024 bits beloie the 
decryption or of 128 bits after the decryption which would 
require an uxarcase of the baxdwaic size, so that the key 
object identifier which has a total length of only 10 bits is 
used. 

The Ll instruction cache 213 in which the decrypted 
execution codes are to be stored has an atlribuLe memories 
in correspondences to the cache lines. When the decrypted 
execution codes are stored into the Ll instruction cache 213 
by the code decryption functicm 212, the key object identifier 
is written into the attribute memory. 

Also, in the case of reading the encrypLed data from the 
memory and dccryiHing it, the contents of the data protection 
attribute registers CYO to (:Y3 are read mt from the register 
file 253 to a protection table management function 233 of the 
data '11.13 141. At this |X)int, the key object identifier 
corresponding to the currently executed instruction is also 
read from the current code encryption key memoiy unit 251 
at tlK same time and maintained in the protection table 
management function 233. 

Similarly as in the case of the instruction cache, tlie data 
cache 218 has attribute memories in correspondence to the 
cache lines. When the data tead out from the memoiy is 
decryi)ted by the data decryption function 219 and stored 
into the Ll data cache 218, the key object identifier is written 
into the attribute memory from the protection tabic man- 
agement fimction 233. 

When some instiuctioQ is executed and the data referring 
is carried out, the key object identifier written in the attribute 
of the data cache and the key object of that instruction in the 
instruction cache arc compared by the secret protection 
violalion deleclion unit 256. If ibey do not coincide, the 
exception of the secret protection violation occurs and the 
data relening falls. In Ihec^ise where the attribute of the data 
cache indicates a plaintext, the data reUerring always suc- 
ceeds. 

Note dial, when the aiiribules of the iasiruction and the 
data do not coincide, instead of causing the exception, it is 



53,374 B2 

30 

also possible to discard the content of this data caclie and 
le-read the data from the memory once again. 

For example, consider program- 1 and program-2 Ibr 
which the execution c^nle encryption key as well as Ihe data 

5 paitectiou attribute registers CYO to CY3 are different. If the 
encrypted data referred and wrillen into the cache by the 
prograin-l Is to be referred by the pA")gram-2, the program-2 
will read out a different data, lliis operation is in accord with 
the purpose of protecting secrets. 

10 If two programs have the same data encryption key and 
data at the same address are referred by them, the same data 
will read so that this data can 1>e shared lietween them. 

In this way, in this em1x>diment, data generated hy some 
program-1 can be proteaed from being refcned by another 

1 5 prograin-2 hy providing a function for maintaining attriliutes 
of the instruction to be executed and the data indicating 
programs to which they originally belong, and comparing 
the attributes to see if they coincide or not at a time of the 
data rcfciring due to the instruction execution. 

ZD <Gntry Gate> 

In this embodiment, the cases where the control can be 
shifted from the non-protcaed code to the protected oocfe arc 
limited only to the following two cases: 
(X) the case where the context encrypted by using the 

25 execution code encryption key (that is, the context having a 
random number) that coincides with a restart address is to be 
restarted; and 

(2) the case where the control is shifted from a non- 
protected code to an entry gate hastruction ("egate" 

30 instruction) of Ibe protected code, by the execution of the 
consecutive codes or by a Jump or call instruction. 

This limitatioo is placed m order to prevent an attacker 
irom obuining information on code fragments by executing 
the code from arbitrary position. The procedure for the 

35 above (1) has already been described in relation to the 
context recovery. Namely, the control is shifted to the 
execution of the protected code only when it is verified that 
Ihe context inlormalion matching with the execution code 
encryption key of Ihe code that was executed immediately 

40 before the interruption is contained, and that the proi)er 
signature given by ibie microprocessor 101 is altachetl. 

The above (2) is a processing for prohibiting a transition 
to the execution of the protected code unless a special 
instruction called entry gale (*'egale") instruction is executed 

45 at the beginning of the control in the case of shifting the 
control from the non-protected code to the protected code. 

I'ICi. II shows a procedure for switching a protection 
domain based on the entry gate instruction. 'Ihe inicn^pm- 
cessor 101 is maintaining the encryption key of the currently 

51) executed code in the current code encryption key memory 
unit 251 (see IICS. 4) of the exception processing unit 131. 
First, whether the value of this key is changed in conjunction 
with the execution of the instruction or not is judged (step 
601). When the change of the key value is detected (step 601 

55 NO), whether the instmction executed in oonjimction with 
the change is an entr>' gate (''cgatc") instmction or not is 
checked next (step S602), If it is the entry gate instruction, 
it implies that it is a proper instruction so that the control can 
be sbificd to the changed code. Consequently, wfacn it is 

60 Judged as an entry gate instruction (step 602 YES), this 
instruction is executed. 

On the other haod, when it is Judged as not an entry gate 
instruction (step 602 NO), ii implies that the interrupted 
instruction is an improper instruction. In this case, whether 

OS the instruction that was executed immediately previously is 
an encrypted (protected) instruction or not is judged (step 
603). If it is a non-protected instruction, the exception 
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program counter is in a slate al'ler the *'ecaU" ioslniclioD is At a lime of Ihe recovery of Ihe user TSS by the 

Lssued) iolo a region specilietl by the operand '*uTSS", in a applicaiioti. an attack for substituting the user TSvS by the OS 

format similar to that in the case of the encryjited 'I'SS whichhasprivilegesisnolcnlircly impossible. However, the 

described al>ove. hi t1)e fnllowiiig, this region will be interchangeable TSS informalion in such a case is only the 

referred lo as a user TSS. 5 context information whose execution is always started 

The difiBcrcncc between the user TSS and the system TSS through the "cgate" and which is saved by the saving of the 

lies in that, in ihe user rvgisler shown in FIG. lU, a U Hag execution slate caused by (he interruption or by the user 

is set in a region 825-2 on the TSS. The difference in the explicidy, as long as ihe execution code encr>'piion key of 

operation will be described later. In the saving of the user the protection domain is managed correctlv. Apossil^ility for 

I vSS nitothe memory, the data pAitection attributes defined the lealcagc of the .secrets of the application due to the 

m the dala protection aliribule registers CYO lo CY^ by the interchange of this ctmlexl inlormalion is quite smaU. and il 

user are not aiylied, similarly as in the case ol the saving or quite difficult for an attacker to guess what kind of the 

the context mformation into the system TSS ^^.^^^^ informalion interchange is necessary in acquiring 

The call target code o£ the oon-prolection doraam cannot ^ cccrete of the aiwlicatirtii - c 

exchange paraiiKtcrs because the Tceistcrs arc initialized by Tht^,^^L ^}l^u ?Xr.^ rh. nr^.^H^, H^.i. 

Ihe execution of Ihe "ecall" inslruafon. For this reason, Ihe ,c . ^^^"^ proeedure tor caU yP from the prwection domain to 

parameters are acquired from a prescribed address -param" ^l.T?'^'^ 1 domain described above is a bo appb- 

1204. and the nc<xssary procc&Sng is carried out. There is ^^^'''^ ^ f""^^,^'":/?' shifting the ai^trol between the 

oo lilnilaiion on Ihe prSgrammi^ in Ibe non- protection r'^^^.T '^TT'"^ instruction to be executed lin.! at 

domain. In the example S FIG. 14. a sub-routine "qqci" ^^^^ ""^^^^ instruction of the calhog source 

1213 is called up (proccs&ing 1225). The call up from the , ... .1. « « _ . j • 

protection domain Mr, be adajted Ui the call up semantics of «=^^',*» f"" "? ^ potecUoa domains 

Uie sub-rouiine "qqq" by pla<:ing an adaptor ixle for copy- P™*** «"". '^'^^ encrypung ^ region lor 

ing slack poinl^r^lling and the parameters lo the slal, c«l>«8«>8 paramctcis between these OKMCCtlon domauB. 

b^een "exx" and tl« call up of "qqq". fnr example. 1^ f '"'^'^T'P*'"" « "^'"1 hy carrying ou the 

processing icsult is sent to the callhJg source through the «"ll'«?<i'-?Uon key exchange between Ihese protection 

parameter region 1204 on the memory (processing 1226). 2$ "om-iw^ >n .. . 

When the processing of the SUb-XOUlinc is OOmptotcd. a described, according to the microprt)Ccs.sor of the 

"sret- instmction is iiued in o^rll; l^rn thTiiSto P^f"^ TT'k^ beconie.s possible .0 prevent the illegal 

the calling source protection domain (proces-sing 1227). '""'^>'^^* " Pi'^'y V"^^o'^^S^»^ 

The "^r instricdon takes 00c operand tbr^specit^ing ^je p«>t:essing target data of Ihe execu- 

thc user TSS. unlike the "ret" inaction that has 00 io "-"'"S encryption, under the mulli-ta-sk- 

nperaiid. Here, the user ms 12«3 is specified iixlirectly a.s «nvuonmeni. 

Ihe recovery informalion through a Jointer stored in the »' '~"»'P'«' P??^'« ^ .P"^'"' ""^ '""K'^ '"y^^^S 

parameter region "param" 1204 ThcVccovcry of the user the cncfyptwn attnbutcs in the case of swing the 

TSS by the "sret" instruction largely differs from the recov- TI." t, , . ^ .u .^a 

eryofLsj'steml'SS in that tlie task register is not affected „ J^.] " ^T'^^" f"^''?'' ^ P^^'^^ the e„cryp1«d data 

at all even when the user TSS is recovered. The task link " '^«8*' att^ks by using turbitrary random number Kr 

field of the user TSS voll be ignored. The recovery will fiUl l"*". * ^'^f , « encryption key for the 

when the system TSS with the U flog 825-2 set to 'W is pf(KM.viing target data. , ■ 

specilietl in the operand of the 'W insmiclkin. . •'^««'°>«'' PJ'=»*J'» "> '^nry out Ihe ^tebuggmg m 

At a time of Ihe execuliop of the recovery, the decryption 5^ Pi""**'" ""^T'^ll!""^ ^^^^f^ °° 

of the exccuuon state and the vcnficatioi, of the execution *» ^«^"«>«,<:ao be provided to the program vendor who knows 

code encrvption kev and the signature already described Ihe execu ion code encrypl.oi, key. 

above are earned ou , and when the violation is detected, Ihe I'.^'^V"""}* ^^^^ P"^""' T*^."* 

exception of the secret prolecUon violaiion will occur. When ^t?^'** microproceiBor and supptMS thc«»t of ho 

the ^^=rificatlon succeed, the execution is restarted fmin an '"'croprocessiV by saving .ofom»tion that required the 

instruction next w the calling source "ecall" instruction, lliis 4S pro ecuon such as the enarypW»o olmbulo lolbinialion 

adilress is encrypted and signed in Ihe user TCS, so lhal it is '^'^ "T''' ''i" fl^"^ ' signature of ^ 

crypiographically impossible to forge this address. All the '"'^r^P'^f^y^ '"'^'''S '^"'y *e oece.s.«ify portion into he 

reg^steTs except for the program counter will be .set back to ''^If " ""^'d' '"e microprocessor, and carrying out the 

the state befoA the call ip, t> that the code of the protection . ^'^"^^"Jl " "^'^"^'^ 

domain acquires the creation result of the sib-routinc 51. 'Il^':'):^ ^^^V^"^ he subsuiuiion at a time of the 

"CSX" from the parameter region 1204. reading can also lie guaran eed 

At a time of shifting thelJontrol to the non-protection . '» "''^ ^ "^'f ^'^"^ thcise already mentioned 

ilomaio after Ihc procSising of the pioleclion domain is and vanaUons ol Ihe above 

completed, an "cjmp" insSuction is used. The "cjmp" C"«l»<lii«enls may be made without departing from the 

instfSetion does c\rry out the saving of the state, uilikc „ no^l jpd advantageous features of the pre.sent mvenuon. 

Ihe "ecaU" inslniclion. It the conliul is .shiftol ^^m Ihe " ^^^S^^^lJ^ t'^i '"^'^I'l*"* /i"***" 

proleclion domain lo the nou-proleclion domain by Ihe f^'^ » "^^^^ «»P« •PPCK>«1 

instruction other than "ccall" and "cjmp", such as "Imp" or wif« « m->w^ 

"call", the exception ofthe .secret protection violation occurs wnat is ciaimca is. 

and the encrypted context information is sav«l in the TSS ? " * .n|croprocessor having a unique secret key and a 

region (a region intlicBled by the task register) of the system. P'-bbc key corresponding to the unique secnt key 

Note that the context information will be marked as mm- *ixltm»\, compnsmg: 

restartaljle at this point. Note also that specifying an addres.s » «a''™g conligured to read wit a pluraUly of 

in Ihe protection domain as a jumping target of the '"ejmp" programs encrypted by using different execution code 

instruction does not cause the violation. encryption keys from an external memory; 

'I1iis completes the description of a procedure for call up 65 a decryption unit configured to decrypt the plurality of 

fnirn the protection domain to the non-protection domain programs leadoul by the reading unit by using lespec- 

and newly added instructions used in that procedure. live decryption keys; 
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an execuLioD unil cunligiinxl to execute the pluialily o£ 
programs dtcryptcd by the decryption unit; 

a context information saving unit configured to save a 
context information for one program whose execution 
is to be interrupted, into the external memory or a ^ 
context information memory provided inside the 
microprocessor, the context information containing 
information indicating an execution state of the one 
program and the execution code encryption key of the 
ODC program; and 

a restart unit configured to restart an execution of ihc one 
program by reading out the context information from 
the external memory or the context information 
memory, and recovering the execution state of the one 
program from the conLexL informalion; 

wherein the a^ntext information saving unit is configured 
to generate a random number as a temporary key, to 
encrypt the context information, and to save an 
encrypted context information into the external 
memory, the encrypted context information containing 
a first vahie obtained by encrypting information indi- 
cating the execution state of the one program by using 
the temporary Icey and a second value obtained by 
cncryi)ting tlic temporary key by using the public key; 

the restart unit is configured to restart the execution of the 
cue program by icadii^ out the encrypted context 
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ioibrmation from the external memory decrypting the 
temporary key from the second value contained in the 
encrypted context information by \isiog the secret key, 
decrypting the inibrmalion indicating the execution 
state fmm the first value contained in the encrypted 
context informatioa by using a decrypted temporary 
key, and recxivering the execution slaUi of the one 
program from a decrypted context information; and 
the context infoimalicn saving unil saves the encrypted 
aintext information that also contains a tliird value 
ol^tained by encrypting tlie tenqx^rary key l)y using the 
execution code encryption key of the one program. 
2. 'llie microprocessor of claim 1, wherein the restart unit 
15 deco'pui a lirsL temporary key from the second value con- 
tained in the encryjned context information by using the 
secret key and decrypts the infomsation indicating the 
execution state from the first value contained in the 
encryi>ted context information by using the first decrypted 
20 temporary key, while decrypting a second temporary key 
fmm the third value contained in the encrypted context 
information by using the execution code encryjition key of • 
tlic one program, atid restarts the execution of the one 
program only wIko the first decry|)ted tenii)orary key coin- 
25 cklcs with the second decrypted temporary key. 
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